ipsec packet filtering
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Fri Jul 30 01:15:09 PDT 2004
On Fri, 30 Jul 2004, Nickolay A. Kritsky wrote:
Hi,
> I think I have got your point here, but filtering esp in tunnel mode
> is of no use in many scenarios since higher protocol information (like
> ports for TCP/UDP) is hidden in encrypted payload.
at first it helps you to accept (only) encrypted traffic from
your peers.
> Correct me if I am wrong but diverting incoming packets wont help.
> Libalias will just pass them unNATed. Or has it been changed since
> 4.9? Let's see.
...
> see? if the incoming packet is not in table, _and_ natd is not running
> in proxy_only mode (which is not acceptable here) the packet flows by
> without any change. And that's what the `man natd' says.
please type
man natd
/reverse
n
this should be available in 4.9 too.
> BAZ> The ruleset gets quite tricky then but it works here (HEAD from about
> BAZ> 82 days ago according to uptime ;-)
>
> ? Do you mean you have the same scenario? And diverting on inside
> interface works for you?
yes of course and a lot more on my three inside and two outside
interfaces.
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
More information about the freebsd-net
mailing list