[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes
Serge E. Hallyn
serue at us.ibm.com
Thu Jun 22 20:51:35 UTC 2006
Quoting Eric W. Biederman (ebiederm at xmission.com):
> Ok. The way it looks to me is this:
>
> In the first network namespace connected to the outside world.
> We setup firewall rules to look at the security association (ipsec/ipauth)
> with the packet and depending forward that packet out different interfaces
> depending upon our security rules.
>
> Each of the different outgoing interfaces hooks to a different network
> namespace. With probably a different security level.
>
> The ip address is configured the same on the filter network namespace,
> and the destination network namespaces.
>
> The tricky bit is that the filter network namespace needs firewall rules
> in place so that the returning packets are not allowed to spoof each other.
OTOH, if using the ipsec based labeling rather than cipso, that should
take care of the spoofing as well.
-serge
More information about the redhat-lspp
mailing list