firewall + ipsec?
Dax Kelson
Dax at GuruLabs.com
Tue Sep 23 18:15:32 UTC 2003
On Tue, 2003-09-23 at 08:27, Felipe Alfaro Solana wrote:
> However, he will find another pitfall that I've
> been unable to resolve and it's that once IPSec traffic passes by the
> firewall, there is no way to perform additional filtering based on
> TCP/UDP ports for example.
>
> Thus, if you enable ESP/AH (protocols 50 and 51), you will in fact
> enable *any* IPSec-protected traffic to pass through the firewall,
> without being able to filter that IPSec traffic based on TCP/UDP ports,
> for example.
This concern should only apply to ESP not AH. However, using the IPSec
builtin to the 2.6 kernel (or backed ported to the 2.4 kerne) you'll
find that once the ESP packet is allowed, the *inner* packet then takes
a trip through through the firewire rules (again).
This way you can filter ESP packets as well as the inner packet.
Your concern then goes away.
If you are using FreeSWAN, then you can filter the ports by applying
your rules to the ipsec0 interface.
Dax Kelson
Guru Labs
More information about the fedora-test-list
mailing list