Date: Thu, 11 Mar 1999 13:48:05 -0500 From: "Jim Flowers" <jflowers@ezo.net> To: <freebsd-hackers@freebsd.org>, "Terry Glanfield" <terry@ppsl.demon.co.uk> Subject: Re: Tunnel loopback Message-ID: <001501be6bef$b74a05b0$23b197ce@crocus.ezo.net>
next in thread | raw e-mail | index | archive | help
Thanks for the clarification. It looks like I would have to do a number of
things (clearly spelled out) to use ipfilter rather than ipfw which only
requires a simple kernel rebuild. More below:
-----Original Message-----
From: Terry Glanfield <terry@ppsl.demon.co.uk>
>I'm simply moving all packets arriving on the internal interface and
>SKIP packets on the external interface to the tunnel interface.
Yep, I see it now. Similarly, with ipfw I use matching rules:
allow 57 from any to any
allow tcp from any 1640 to any
allow tcp from any 1639 to any
allow all from inside.host.or subnet.ip to outside.host.or.subnet.ip
before the natd divert rule to effectively bypass nat.
>
>
>I'm assuming that SKIP will keep state information about
>nomadic hosts that have made inbound connections and extract/encrypt
>what it needs while leaving the rest to pass through untouched. Like
>a said though, I haven't played with "skiphost -a *" yet.
I've just been doing '*' setups to configure a nomadic server. When all
outbound packets go through the skipped interface, you are correct and skip
will figure out which to process and which to just pass along in cleartext.
I want to locate a skip server with a single interface on a perimeter
network between exterior and interior firewall router interfaces. That
means that an outbound packet is routed to the skiphost via the inside
router interface for authentication/encryption/encapsulation and then the
processed packet must be directed out the router external interface to the
nomad. Unfortunately the brand name 3 port firewall routers that I use can
route only on destination addresses so it can't be done.
>I noticed that the archive was unaccessible. Was there an
>announcement that I missed?
No announcement. It (and the listserver) just went away. Archie Cobbs is
trying to reestablish contact. He has also reworked the SKIP port to work
with 3.1. It compiles and runs well.
Jim
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001501be6bef$b74a05b0$23b197ce>