Re: [OT] Connection tracking for IPSec

From: Felipe Alfaro Solana
Date: Wed Aug 20 2003 - 10:25:56 EST

Next message: jamal: "RE: [2.4 PATCH] bugfix: ARP respond on all devices"
Previous message: Martin Zwickel: "2.6.0-t3: vfs/ext3 do_lookup bug?!"
In reply to: Christophe Saout: "Re: [OT] Connection tracking for IPSec"
Next in thread: Jose Luis Domingo Lopez: "Re: [OT] Connection tracking for IPSec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2003-08-20 at 16:53, Christophe Saout wrote:
> > No... What I'm saying is that normal IP traffic is processed by the
> > firewall. However, if the incoming traffic is protected with IPSec,
> > since I opened up protocols 50 and 51, the IPSec traffic is admitted
> > without passing any remaining firewall filters. The machine in question
> > is an end host (not a router).
>
> Yes, you're right. I just checked. Only the encrypted traffic passes the
> netfilter rules, never the unencrypted data. So if you open the
> protocols 50 and 51, the encrypted data can pass, gets
> encrypted/decrypted and that data can always pass unchecked.
>
> These packets should get reinjected into the netfilter mechanism after
> decryption and should pass the rules before getting encrypted.

Exactly! Now, I dont know how to reinject the IPSec-decrypted packets
back to the netfilter engine. Anyone?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: jamal: "RE: [2.4 PATCH] bugfix: ARP respond on all devices"
Previous message: Martin Zwickel: "2.6.0-t3: vfs/ext3 do_lookup bug?!"
In reply to: Christophe Saout: "Re: [OT] Connection tracking for IPSec"
Next in thread: Jose Luis Domingo Lopez: "Re: [OT] Connection tracking for IPSec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]