[Openswan Users] Tunnels come up, but not all traffic goesthrough
Michael Richardson
mcr at sandelman.ottawa.on.ca
Thu Jun 10 14:29:59 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Matt" == Matt Harrell <matt at mattharrell.net> writes:
Matt> I'm not quite sure how adding specific rules to pass traffic
Matt> to and from subnets in a tunnel is a security hole. They're
Matt> all non-routable subnets.
Never, never, never, make that assumption. If that was true, then
you wouldn't need IPsec at all. A straight IPIP or GRE tunnel would work
just fine.
Always assume that your first hop router is compromised.
Matt> this mean? Does it mean that the IPsec traffic in 2.6 kernels
Matt> ignores the iptables firewalling altogether? Or does it mean
Matt> that this simply won't work as long as I'm using iptables?
It means that the INPUT ruleset gets applied to the encrypted packets.
You may be able to use the FORWARD ruleset successfully, it depends
upon your usage.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQMialIqHRg3pndX9AQGU0wP/cVfupBOinHn9FuLV0/J7LtT0wo1qn0ch
GMWECOubN0NPgKtpFw3AvKdN7wY6eBoW5CXYeunNj07KlGKSa2DzvXP8ipyr65RZ
HdcSSr/aeecj/061jDKMR2I0SQReqaR0d9sB6MHiUHi3WceSalNEUNJzqU1o0sPk
Bo7ScP55PA0=
=LZ5C
-----END PGP SIGNATURE-----
More information about the Users
mailing list