firewall + ipsec?
Neal D. Becker
nbecker at hns.com
Tue Sep 23 19:19:45 UTC 2003
On Tuesday 23 September 2003 02:15 pm, Dax Kelson wrote:
> On Tue, 2003-09-23 at 08:27, Felipe Alfaro Solana wrote:
> > However, he will find another pitfall that I've
> > been unable to resolve and it's that once IPSec traffic passes by the
> > firewall, there is no way to perform additional filtering based on
> > TCP/UDP ports for example.
> >
> > Thus, if you enable ESP/AH (protocols 50 and 51), you will in fact
> > enable *any* IPSec-protected traffic to pass through the firewall,
> > without being able to filter that IPSec traffic based on TCP/UDP ports,
> > for example.
>
> This concern should only apply to ESP not AH. However, using the IPSec
> builtin to the 2.6 kernel (or backed ported to the 2.4 kerne) you'll
> find that once the ESP packet is allowed, the *inner* packet then takes
> a trip through through the firewire rules (again).
>
> This way you can filter ESP packets as well as the inner packet.
>
> Your concern then goes away.
>
> If you are using FreeSWAN, then you can filter the ports by applying
> your rules to the ipsec0 interface.
>
Actually, I'm testing Netlock VPN client for Nortel server. AFAIK, FreeSWAN
won't interoperate with Nortel's server, or at least, not as my employer has
it configured (which is not under my control).
More information about the fedora-test-list
mailing list