Date: 10 Mar 1999 16:32:19 +0000 From: Terry Glanfield <terry@ppsl.demon.co.uk> To: "Jim Flowers" <jflowers@ezo.net>, freebsd-hackers@freebsd.org Subject: Re: Tunnel loopback Message-ID: <eogm1gvak.fsf@ppsl.demon.co.uk> In-Reply-To: "Jim Flowers"'s message of "Wed, 10 Mar 1999 10:53:45 -0500" References: <004301be6b0e$2efd77f0$23b197ce@crocus.ezo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Jim Flowers" <jflowers@ezo.net> writes:
> An interesting approach but I'm having difficulty understanding your
> description. See below.
I'm using IPFilter, not ipfw.
From the man page:
to causes the packet to be moved to the outbound queue on
the specified interface. This can be used to circumvent
kernel routing decisions, and even to bypass the rest
of the kernel processing of the packet (if applied to
an inbound rule). It is thus possible to construct a
firewall that behaves transparently, like a filtering
hub or switch, rather than a router. The fastroute key-
word is a synonym for this option.
I'm simply moving all packets arriving on the internal interface and
SKIP packets on the external interface to the tunnel interface.
> The main problem with a nomadic host is that at the nomad end the original
> packet source and the skiphost have the same IP number and, by definition,
> it is unknown in advance. Not a problem for a simple host-to-host network
> but definitely a routing problem for a single-interface nomadic server in a
> host-to-network tunnel topology. You have to figure out how to route return
> packets to the skiphost for processing and then route the same packets (now
> encrypted but with the same destination address) to the nomad (far-end)
> skiphost.
The idea is that *all* packets destined for the outside pass through
SKIP. I'm assuming that SKIP will keep state information about
nomadic hosts that have made inbound connections and extract/encrypt
what it needs while leaving the rest to pass through untouched. Like
a said though, I haven't played with "skiphost -a *" yet.
> I'm beginning to think SKIP may be reaching end-of-life status with the
> vanishing of the mailing list and archive.
I noticed that the archive was unaccessible. Was there an
announcement that I missed?
Regards,
Terry.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?eogm1gvak.fsf>