Date: Thu, 12 Jun 2003 20:41:24 +0200 From: lupe@lupe-christoph.de (Lupe Christoph) To: freebsd-security@FreeBSD.ORG Subject: Re: Impossible to IPfilter this? Message-ID: <20030612184124.GD26930@lupe-christoph.de> In-Reply-To: <20030612132138.A26888@shell.gsinet.sittig.org> References: <20030607111540.GC4812@lupe-christoph.de> <20030610230744.GD44069@blossom.cjclark.org> <20030612132138.A26888@shell.gsinet.sittig.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday, 2003-06-12 at 13:21:38 +0200, Gerhard Sittig wrote: > In this scenario (would I be in the situation to have to filter > this traffic:) I would wish for some flag or "handle" to recognize > the different times the packet runs through the filter. There is > quite a hugh difference between "letting ESP/AH in at fxp0 and > accept IPv4 -- maybe RFC1918 adresses -- from this tunnel (but > not otherwise)" and "letting ESP/AH as well as IPv4 in at fxp0". > Not wanting or having to extend the established filter syntax or > the programming interface already laid out almost naturely makes > the "interface" property of a packet one such handle. I've used ipsec0 on Linux for similar purposes, and I would like to see an IPSec interface in FreeBSD as well. As I said, I could not get GIF to work with FreeS/WAN, so I'm stuck with the current interface-deprived IPSec implementation. But at least (and at last!) I can use IPFilter rules for IPSec traffic, thanks to Crist's suggestion. Since I just want to prohibit traffic to "this host", that's enough for me. Thank you all, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030612184124.GD26930>