ipsec with ipfw
Ermal Luçi
eri at freebsd.org
Sun Mar 12 05:53:40 UTC 2017
On Sat, Mar 11, 2017 at 2:16 PM, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote:
> On Sun, Mar 12, 2017 at 12:53:44AM +0330, Hooman Fazaeli wrote:
>
> > Hi,
> >
> > As you know the ipsec/setkey provide limited syntax to define security
> > policies: only a single subnet/host, protocol number and optional port
> > may be used to specify traffic's source and destination.
> >
> > I was thinking about the idea of using ipfw as the packet selector for
> ipsec,
> > much like it is used with dummeynet. Something like:
> >
> > ipfw add 100 ipsec 2 tcp from <lan-table> to <remote-servers-table>
> 80,443,110,139
> >
> > What do you think? Are you interested in such a feature?
> > Is it worth the effort? What are the implementation challenges?
>
> security policies is subject of ike protocol exchange, do you plened
> to extend this protocol too?
>
With the introduction of if_ipsec you can implement such tricks through
routing.
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
> --
> Ermal
>
More information about the freebsd-net
mailing list