[Openswan Users] Tunnels come up, but not all traffic goesthrough

Wed Jun 9 16:45:41 CEST 2004

I'm poking around the iptables information and patches now.  Hopefully 
this will result in a fix.  Thanks.

Matt Harrell wrote:

> I'm not quite sure how adding specific rules to pass traffic to and 
> from subnets in a tunnel is a security hole.  They're all non-routable 
> subnets.
>
> Anyway, this e-mail doesn't tell me much.  What exactly does this 
> mean?  Does it mean that the IPsec traffic in 2.6 kernels ignores the 
> iptables firewalling altogether?  Or does it mean that this simply 
> won't work as long as I'm using iptables?
>
> If there's some online resource that covers this, please point me to 
> it--I've been trying to find such a resource for two weeks.
>
> There clearly seems to be some kind of firewalling or routing issue 
> going on here, but I'm not finding what it is.
>
> Michael Richardson wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>>
>>  
>>
>>>>>>> "Matt" == Matt Harrell <matt at mattharrell.net> writes:
>>>>>>>           
>>>>>>
>>    Matt> I should have mentioned that.  I did change all references to
>>    Matt> ipsec0 to eth1 (external NIC) in my iptables rules.  Is that
>>    Matt> all there is to it?
>>
>>  No. You have likely caused yourself a security hole.
>>
>>  You can not firewall IPsec things with 2.6 kernels, without patches.
>>
>> - --
>> ]     "Elmo went to the wrong fundraiser" - The Simpson         |  
>> firewalls  [
>> ]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net 
>> architect[
>> ] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ 
>> |device driver[
>> ] panic("Just another Debian GNU/Linux using, kernel hacking, 
>> security guy"); [
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.2 (GNU/Linux)
>> Comment: Finger me for keys
>>
>> iQCVAwUBQMdNJ4qHRg3pndX9AQFRowQAnPPzl6MW55lmEZaYJ4hl8J4tG1QcZRWF
>> ge2ApljtIZ4kfhGqqQD17Lb0Qdv54p4kJr95mBDr0XZMixOLdSl09g7JiFRXnpMp
>> bOH+kG/YMM2+Ln3EpW4ZNnKngStoS5SvM57a28Tnm4PfmoKm4YlPi/xCuuZWSm1R
>> yYvwUk3vP7I=
>> =iAQ3
>> -----END PGP SIGNATURE-----
>>
>>  
>>
>

-- 
Matt Harrell
matt at mattharrell.net
http://www.mattharrell.net