|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Dalin S. Owen (dowen
pstis.com)Date: Mon Mar 04 2002 - 19:15:16 CST
I have IPsec running between two FreeBSD machines (over an 802.11b link),
they are manually keyed (not using an IKE daemon). First question, is it
more secure to use an IKE? I mean, doesn't it rotate keys, instead of just
using static ones? And if I use an IKE, can those generated keys be sniffed,
or are they encrypted with the last key?
Now, another issue. I have the following rules on each machine with ipfw (I
am only going to show the relevant ones for simplicity):
#nat box (I have a seperate interface for the 802.11 AP)
ipfw add 10 allow esp from any to any via dc1
#this stops anyone from using my AP
ipfw add 20 deny ip from any to any via dc1
#workstation
ipfw add 10 allow esp from any to any
Now, everything works fine. But I would like to be able to firewall the
packets *after* they are translated by IPSec (ESP) with IPFW? How would I
do that? They seem to only pass into IPFW once, not twice.. Can you run IPF
with IPFW to do it, and in that case which firewalling system gets matched
first?
Thanks!
Dalin Owen
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]