Date: Sun, 12 Mar 2017 01:16:19 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Hooman Fazaeli <hoomanfazaeli@gmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: ipsec with ipfw Message-ID: <20170311221619.GU15630@zxy.spb.ru> In-Reply-To: <58C46AE0.7050408@gmail.com>
index | next in thread | previous in thread | raw e-mail
On Sun, Mar 12, 2017 at 12:53:44AM +0330, Hooman Fazaeli wrote: > Hi, > > As you know the ipsec/setkey provide limited syntax to define security > policies: only a single subnet/host, protocol number and optional port > may be used to specify traffic's source and destination. > > I was thinking about the idea of using ipfw as the packet selector for ipsec, > much like it is used with dummeynet. Something like: > > ipfw add 100 ipsec 2 tcp from <lan-table> to <remote-servers-table> 80,443,110,139 > > What do you think? Are you interested in such a feature? > Is it worth the effort? What are the implementation challenges? security policies is subject of ike protocol exchange, do you plened to extend this protocol too?home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170311221619.GU15630>