Date: Mon, 13 Mar 2017 10:31:53 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Hooman Fazaeli <hoomanfazaeli@gmail.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: ipsec with ipfw Message-ID: <ed0084be-e183-62df-2875-179f20cc0b28@yandex.ru> In-Reply-To: <58C46AE0.7050408@gmail.com> References: <58C46AE0.7050408@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --NqFtWWLMPsVux9URVabOEr61mvalMbTEf Content-Type: multipart/mixed; boundary="GmgXvV9N0RieS4AseUWNXOxdscGQ1OWbR"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Hooman Fazaeli <hoomanfazaeli@gmail.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Message-ID: <ed0084be-e183-62df-2875-179f20cc0b28@yandex.ru> Subject: Re: ipsec with ipfw References: <58C46AE0.7050408@gmail.com> In-Reply-To: <58C46AE0.7050408@gmail.com> --GmgXvV9N0RieS4AseUWNXOxdscGQ1OWbR Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 12.03.2017 00:23, Hooman Fazaeli wrote: > Hi, >=20 > As you know the ipsec/setkey provide limited syntax to define security > policies: only a single subnet/host, protocol number and optional port > may be used to specify traffic's source and destination. >=20 > I was thinking about the idea of using ipfw as the packet selector for > ipsec, > much like it is used with dummeynet. Something like: >=20 > ipfw add 100 ipsec 2 tcp from <lan-table> to <remote-servers-table> > 80,443,110,139 What this rule should do? How do you plan implement policy lookup for inbound packets? --=20 WBR, Andrey V. Elsukov --GmgXvV9N0RieS4AseUWNXOxdscGQ1OWbR-- --NqFtWWLMPsVux9URVabOEr61mvalMbTEf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAljGSukACgkQAcXqBBDI oXpMQgf/SJbC8GyaIy0FWfdd5lkGNu2SR1oxKD07h69X4puqxirV64MY8HPAyGIr cHn6BkHYdBbEy+t7EUH5aGW71mhhzVdZ6DReSSOJpMngE+QXjqs+DrIRZHbnN+6S plMBtzl+DN7iBg1YWo49a4OYj0DB4QwAx9M0pbnFV7/ZodHxRvE9ZxrWJmxKiZyZ S5tuTvoxPMiFt29gbdOhIyo5EpC3t0XpkfeuRHhRElsMk72RbFBjmN5+k3W8jXH3 nxl9fAolh9PJtr4uSE8JZfAx8uV2895jgFuVdpQDX1eINDTOLxAYVYB/5ZCavoB3 lag95XVBxyjsA/wWV2BxeBDNTkFr0w== =WdNL -----END PGP SIGNATURE----- --NqFtWWLMPsVux9URVabOEr61mvalMbTEf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ed0084be-e183-62df-2875-179f20cc0b28>