From owner-freebsd-hackers Thu Mar 11 10:48: 5 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id BA0E514E71 for ; Thu, 11 Mar 1999 10:48:01 -0800 (PST) (envelope-from jflowers@ezo.net) Received: from crocus (p165.ezo.net [206.102.130.97]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id NAA01849; Thu, 11 Mar 1999 13:47:09 -0500 (EST) Message-ID: <001501be6bef$b74a05b0$23b197ce@crocus.ezo.net> From: "Jim Flowers" To: , "Terry Glanfield" Subject: Re: Tunnel loopback Date: Thu, 11 Mar 1999 13:48:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2106.4 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thanks for the clarification. It looks like I would have to do a number of things (clearly spelled out) to use ipfilter rather than ipfw which only requires a simple kernel rebuild. More below: -----Original Message----- From: Terry Glanfield >I'm simply moving all packets arriving on the internal interface and >SKIP packets on the external interface to the tunnel interface. Yep, I see it now. Similarly, with ipfw I use matching rules: allow 57 from any to any allow tcp from any 1640 to any allow tcp from any 1639 to any allow all from inside.host.or subnet.ip to outside.host.or.subnet.ip before the natd divert rule to effectively bypass nat. > > >I'm assuming that SKIP will keep state information about >nomadic hosts that have made inbound connections and extract/encrypt >what it needs while leaving the rest to pass through untouched. Like >a said though, I haven't played with "skiphost -a *" yet. I've just been doing '*' setups to configure a nomadic server. When all outbound packets go through the skipped interface, you are correct and skip will figure out which to process and which to just pass along in cleartext. I want to locate a skip server with a single interface on a perimeter network between exterior and interior firewall router interfaces. That means that an outbound packet is routed to the skiphost via the inside router interface for authentication/encryption/encapsulation and then the processed packet must be directed out the router external interface to the nomad. Unfortunately the brand name 3 port firewall routers that I use can route only on destination addresses so it can't be done. >I noticed that the archive was unaccessible. Was there an >announcement that I missed? No announcement. It (and the listserver) just went away. Archie Cobbs is trying to reestablish contact. He has also reworked the SKIP port to work with 3.1. It compiles and runs well. Jim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message