Re: [OT] Connection tracking for IPSec

[Christophe Saout]

Am Mi, 2003-08-20 um 16.22 schrieb Felipe Alfaro Solana:
>  saying it's not honouring the netfilter rules at all?
> 
> No... What I'm saying is that normal IP traffic is processed by the
> firewall. However, if the incoming traffic is protected with IPSec,
> since I opened up protocols 50 and 51, the IPSec traffic is admitted
> without passing any remaining firewall filters. The machine in question
> is an end host (not a router).

Yes, you're right. I just checked. Only the encrypted traffic passes the
netfilter rules, never the unencrypted data. So if you open the
protocols 50 and 51, the encrypted data can pass, gets
encrypted/decrypted and that data can always pass unchecked.

These packets should get reinjected into the netfilter mechanism after
decryption and should pass the rules before getting encrypted.

--
Christophe Saout <christophe@xxxxxxxx>
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/