Date: Tue, 17 Apr 2001 12:07:04 -0600 From: Lyndon Nerenberg <lyndon@orthanc.ab.ca> To: freebsd-security@FreeBSD.ORG Subject: Re: Interaction between ipfw, IPSEC and natd Message-ID: <200104171807.f3HI74p23303@orthanc.ab.ca> In-Reply-To: Your message of "Tue, 17 Apr 2001 15:06:53 BST." <E14pW85-0002Q2-00@xi.css.qmw.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "David" == David Pick <D.M.Pick@qmw.ac.uk> writes: David> I think so - but I don't see why a daemon whould be David> necessary. It seems to me that the sort of mechanism used David> by the "gif" interfaces would be appropriate. It *might* David> even be possible to extend the "gif" interface to do the David> job. The difference being that instead of encapsulating in David> an IP "tunnel" it would encapsulate in an IPSEC David> "tunnel". You've pretty much described the OpenBSD enc(4) interface: ENC(4) OpenBSD Programmer's Manual ENC(4) NAME enc - Encapsulating Interface SYNOPSIS pseudo-device enc 4 DESCRIPTION The enc interface is a software loopback mechanism that allows hosts or firewalls to filter ipsec(4) traffic using ipf(5). The vpn(8) manpage shows an example of such a setup. The other use of the enc interface is to allow an administrator to see outgoing packets before they have been processed by ipsec(4), or incoming packets after they have been similarly processed, via tcpdump(8). The ``enc0'' interface inherits all IPsec traffic. Thus all IPsec traf- fic can be filtered based on ``enc0'', and all IPsec traffic could be seen by invoking tcpdump(8) on the ``enc0'' interface. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104171807.f3HI74p23303>