Impossible to IPfilter this?
Lupe Christoph
lupe at lupe-christoph.de
Thu Jun 12 11:41:36 PDT 2003
On Thursday, 2003-06-12 at 13:21:38 +0200, Gerhard Sittig wrote:
> In this scenario (would I be in the situation to have to filter
> this traffic:) I would wish for some flag or "handle" to recognize
> the different times the packet runs through the filter. There is
> quite a hugh difference between "letting ESP/AH in at fxp0 and
> accept IPv4 -- maybe RFC1918 adresses -- from this tunnel (but
> not otherwise)" and "letting ESP/AH as well as IPv4 in at fxp0".
> Not wanting or having to extend the established filter syntax or
> the programming interface already laid out almost naturely makes
> the "interface" property of a packet one such handle.
I've used ipsec0 on Linux for similar purposes, and I would like to see
an IPSec interface in FreeBSD as well. As I said, I could not get GIF to
work with FreeS/WAN, so I'm stuck with the current interface-deprived
IPSec implementation.
But at least (and at last!) I can use IPFilter rules for IPSec traffic,
thanks to Crist's suggestion. Since I just want to prohibit traffic to
"this host", that's enough for me.
Thank you all,
Lupe Christoph
--
| lupe at lupe-christoph.de | http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze |
| "Thief of Time", Terry Pratchett |
More information about the freebsd-security
mailing list