Date: 10 Mar 1999 13:47:31 +0000 From: Terry Glanfield <terry@ppsl.demon.co.uk> To: "Jim Flowers" <jflowers@ezo.net>, <freebsd-hackers@freebsd.org> Subject: Re: Tunnel loopback Message-ID: <er9qxh2x8.fsf@ppsl.demon.co.uk> In-Reply-To: "Jim Flowers"'s message of "Tue, 9 Mar 1999 17:43:16 -0500" References: <000d01be6a7e$39343960$abd396ce@ivy.ezo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Jim Flowers" <jflowers@ezo.net> writes: > There is a basic problem with your strategy. SKIP is unidirectional and the > inbound packets will have to be received on the configured interface to be > authenticated. Exactly. Along with the rule for the internal interface: pass in quick on ed0 to tun0 all I have a rule on the external interface to redirect SKIP packets to the tunnel: pass in quick on ed1 to tun0 proto skip all Similarly for UDP port 1640. I've tested this and it works admirably (except for the duplicate packets mentioned earlier). The object is to move SKIP from its position closest to the wire to a point before NAT occurs. Then, so long as the SKIP packets have a properly rewritten source address and are not modified by NAT, all of the problems you mention are addressed. Nomadic SKIP hosts on the Internet should also be possible although I've not tried this yet. Now, if only I could stop the duplicate packets bouncing around the tunnel... > Were you able to get the FreeBSD Skip-1.0 port to compile on 3.1? Apparently it won't work with LKM and needs a KLM rewrite. Regards, Terry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?er9qxh2x8.fsf>