Date: Sat, 11 Mar 2017 21:53:39 -0800 From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= <eri@freebsd.org> To: Slawa Olhovchenkov <slw@zxy.spb.ru> Cc: Hooman Fazaeli <hoomanfazaeli@gmail.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: ipsec with ipfw Message-ID: <CAPBZQG2QuU_oENyzV25kD=SMWiV36tRhyV-gHAPa%2BkRwoXyuKw@mail.gmail.com> In-Reply-To: <20170311221619.GU15630@zxy.spb.ru> References: <58C46AE0.7050408@gmail.com> <20170311221619.GU15630@zxy.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 11, 2017 at 2:16 PM, Slawa Olhovchenkov <slw@zxy.spb.ru> wrote: > On Sun, Mar 12, 2017 at 12:53:44AM +0330, Hooman Fazaeli wrote: > > > Hi, > > > > As you know the ipsec/setkey provide limited syntax to define security > > policies: only a single subnet/host, protocol number and optional port > > may be used to specify traffic's source and destination. > > > > I was thinking about the idea of using ipfw as the packet selector for > ipsec, > > much like it is used with dummeynet. Something like: > > > > ipfw add 100 ipsec 2 tcp from <lan-table> to <remote-servers-table> > 80,443,110,139 > > > > What do you think? Are you interested in such a feature? > > Is it worth the effort? What are the implementation challenges? > > security policies is subject of ike protocol exchange, do you plened > to extend this protocol too? > With the introduction of if_ipsec you can implement such tricks through routing. > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > -- > Ermal >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG2QuU_oENyzV25kD=SMWiV36tRhyV-gHAPa%2BkRwoXyuKw>