Date: Tue, 17 Apr 2001 12:07:04 -0600 From: Lyndon Nerenberg <lyndon@orthanc.ab.ca> To: freebsd-security@FreeBSD.ORG Subject: Re: Interaction between ipfw, IPSEC and natd Message-ID: <200104171807.f3HI74p23303@orthanc.ab.ca> In-Reply-To: Your message of "Tue, 17 Apr 2001 15:06:53 BST." <E14pW85-0002Q2-00@xi.css.qmw.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "David" == David Pick <D.M.Pick@qmw.ac.uk> writes:
David> I think so - but I don't see why a daemon whould be
David> necessary. It seems to me that the sort of mechanism used
David> by the "gif" interfaces would be appropriate. It *might*
David> even be possible to extend the "gif" interface to do the
David> job. The difference being that instead of encapsulating in
David> an IP "tunnel" it would encapsulate in an IPSEC
David> "tunnel".
You've pretty much described the OpenBSD enc(4) interface:
ENC(4) OpenBSD Programmer's Manual ENC(4)
NAME
enc - Encapsulating Interface
SYNOPSIS
pseudo-device enc 4
DESCRIPTION
The enc interface is a software loopback mechanism that allows hosts or
firewalls to filter ipsec(4) traffic using ipf(5). The vpn(8) manpage
shows an example of such a setup.
The other use of the enc interface is to allow an administrator to see
outgoing packets before they have been processed by ipsec(4), or incoming
packets after they have been similarly processed, via tcpdump(8).
The ``enc0'' interface inherits all IPsec traffic. Thus all IPsec traf-
fic can be filtered based on ``enc0'', and all IPsec traffic could be
seen by invoking tcpdump(8) on the ``enc0'' interface.
--lyndon
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104171807.f3HI74p23303>