[Openswan Users] Tunnels come up, but not all traffic goesthrough
Herbert Xu
herbert at gondor.apana.org.au
Thu Jun 10 10:20:40 CEST 2004
Michael Richardson <mcr at sandelman.ottawa.on.ca> wrote:
>
>>>>>> "Matt" == Matt Harrell <matt at mattharrell.net> writes:
> Matt> I should have mentioned that. I did change all references to
> Matt> ipsec0 to eth1 (external NIC) in my iptables rules. Is that
> Matt> all there is to it?
>
> No. You have likely caused yourself a security hole.
>
> You can not firewall IPsec things with 2.6 kernels, without patches.
This is bullshit. You *can* firewall IPsec traffic just fine with
2.6. It is also unlikely to have caused security holes as the
kernel policy engine ensures that all traffic matching the selector
of the SAs must be protected by the specified SAs.
What you can't do easily is NATing or and other similar operations
on IPsec.
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Users
mailing list