[Openswan Users] Tunnels come up, but not all traffic goesthrough
Michael Richardson
mcr at sandelman.ottawa.on.ca
Fri Jun 11 12:40:27 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
>> # permit LAN-C to connect to special server at 1.19: iptables -A
>> INPUT -i ipsec0 -s 192.168.2.0/24 -d 192.168.1.19/32 -j ACCEPT
>> iptables -A INPUT -i ipsec0 -s 192.168.3.0/24 -d 192.168.1.19/32
>> -j DROP
>>
>> .... (appologies for syntax error)
>>
>> Now, if one simply "change all references to ipsec0 to eth1",
>> then one has just permitted traffic from the outside to arrive on
>> eth1, unencrypted.
Herbert> No you haven't. As long as your IPsec connection is
Herbert> routed/up, there will be a policy in the kernel policy
Herbert> engine that says any traffic matching those criteria must
Herbert> be encrypted using IPsec. Any traffic from 192.168.2.0/24
Herbert> to 192.168.1.0/24 which comes in clear from *any* interface
Herbert> will be dropped.
Oh, and you still didn't accomplish the goal of restricting access to
192.168.1.19/32, unless you also make that part of the SPD.
I still don't get why 26sec introduced yet-another-firewall into the
kernel.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQMnSYoqHRg3pndX9AQGpNAQAk1/0La8A/asD4OoXI66tdMIJ8JuBSmly
RysNY956Pp81juA2CQ3V6r/0exU8znZY1f//I7Hq7pa8SwVdGhUVe8Ul791LivZT
c6wW6SvaZzhWRyrgafq9YMgN6zD46WsZIuSqJQzJC3DsMlqWIBrbPsYhixPHW4NT
UvG3mWDrtXU=
=yf99
-----END PGP SIGNATURE-----
More information about the Users
mailing list