firewall + ipsec?
Felipe Alfaro Solana
felipe_alfaro at linuxmail.org
Tue Sep 23 19:09:26 UTC 2003
On Tue, 2003-09-23 at 20:15, Dax Kelson wrote:
> This concern should only apply to ESP not AH. However, using the IPSec
> builtin to the 2.6 kernel (or backed ported to the 2.4 kerne) you'll
> find that once the ESP packet is allowed, the *inner* packet then takes
> a trip through through the firewire rules (again).
>
> This way you can filter ESP packets as well as the inner packet.
The last time I tried (2.6.0-test3 running on both ends), it didn't
work: opening both protocol 50 and 51 make IPSec packets go trough, but
they didn't pass normal filters.
I have a simple filter that only allows incoming traffic using
ESTABLISHED and RELATED conntrack modules. However, allowing ESP and AH
traffic makes *any* IPSec traffic from being able to pass through.
Can you write out what iptable commands would you use to stop any
incoming traffic from passing (either IP or IPSec) except for
ESTABLISHED and RELATED?
Thanks!
More information about the test
mailing list