Date: Fri, 30 Jul 2004 08:12:52 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: "Nickolay A. Kritsky" <nkritsky@star-sw.com> Cc: freebsd-net@freebsd.org Subject: Re[3]: ipsec packet filtering Message-ID: <Pine.BSF.4.53.0407300803100.41939@e0-0.zab2.int.zabbadoz.net> In-Reply-To: <11116772218.20040730115500@star-sw.com> References: <652582171.20040730075831@star-sw.com> <Pine.BSF.4.53.0407300457460.41939@e0-0.zab2.int.zabbadoz.net> <Pine.BSF.4.53.0407300640090.41939@e0-0.zab2.int.zabbadoz.net> <11116772218.20040730115500@star-sw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 30 Jul 2004, Nickolay A. Kritsky wrote: Hi, > I think I have got your point here, but filtering esp in tunnel mode > is of no use in many scenarios since higher protocol information (like > ports for TCP/UDP) is hidden in encrypted payload. at first it helps you to accept (only) encrypted traffic from your peers. > Correct me if I am wrong but diverting incoming packets wont help. > Libalias will just pass them unNATed. Or has it been changed since > 4.9? Let's see. ... > see? if the incoming packet is not in table, _and_ natd is not running > in proxy_only mode (which is not acceptable here) the packet flows by > without any change. And that's what the `man natd' says. please type man natd /reverse n this should be available in 4.9 too. > BAZ> The ruleset gets quite tricky then but it works here (HEAD from about > BAZ> 82 days ago according to uptime ;-) > > ? Do you mean you have the same scenario? And diverting on inside > interface works for you? yes of course and a lot more on my three inside and two outside interfaces. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.53.0407300803100.41939>