From owner-freebsd-hackers Wed Mar 10 8:34:45 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from post-20.mail.demon.net (post-20.mail.demon.net [194.217.242.27]) by hub.freebsd.org (Postfix) with ESMTP id 1E79D14C30 for ; Wed, 10 Mar 1999 08:34:38 -0800 (PST) (envelope-from terry@ppsl.demon.co.uk) Received: from [158.152.16.214] (helo=yeoman.ppsl.co.uk) by post-20.mail.demon.net with esmtp (Exim 2.10 #2) id 10Klvu-0005Rf-0K; Wed, 10 Mar 1999 16:34:11 +0000 To: "Jim Flowers" , freebsd-hackers@freebsd.org Subject: Re: Tunnel loopback References: <004301be6b0e$2efd77f0$23b197ce@crocus.ezo.net> From: Terry Glanfield Date: 10 Mar 1999 16:32:19 +0000 In-Reply-To: "Jim Flowers"'s message of "Wed, 10 Mar 1999 10:53:45 -0500" Message-Id: Lines: 45 X-Mailer: Gnus v5.6.44/Emacs 19.34 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Jim Flowers" writes: > An interesting approach but I'm having difficulty understanding your > description. See below. I'm using IPFilter, not ipfw. From the man page: to causes the packet to be moved to the outbound queue on the specified interface. This can be used to circumvent kernel routing decisions, and even to bypass the rest of the kernel processing of the packet (if applied to an inbound rule). It is thus possible to construct a firewall that behaves transparently, like a filtering hub or switch, rather than a router. The fastroute key- word is a synonym for this option. I'm simply moving all packets arriving on the internal interface and SKIP packets on the external interface to the tunnel interface. > The main problem with a nomadic host is that at the nomad end the original > packet source and the skiphost have the same IP number and, by definition, > it is unknown in advance. Not a problem for a simple host-to-host network > but definitely a routing problem for a single-interface nomadic server in a > host-to-network tunnel topology. You have to figure out how to route return > packets to the skiphost for processing and then route the same packets (now > encrypted but with the same destination address) to the nomad (far-end) > skiphost. The idea is that *all* packets destined for the outside pass through SKIP. I'm assuming that SKIP will keep state information about nomadic hosts that have made inbound connections and extract/encrypt what it needs while leaving the rest to pass through untouched. Like a said though, I haven't played with "skiphost -a *" yet. > I'm beginning to think SKIP may be reaching end-of-life status with the > vanishing of the mailing list and archive. I noticed that the archive was unaccessible. Was there an announcement that I missed? Regards, Terry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message