|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alex Kiesel (alex.kiesel_at_document-root.de)
Date: Sun Aug 18 2002 - 05:26:42 CDT
On Aug 04, 2002, Borja Marcos wrote:
> On Friday 02 August 2002 23:47, Matthew Grooms wrote:
> > Its only backwards if you are used to implimenting IPSEC communications
> > in a non-giff'd confguration. As mentioned before, this is endorsed by
> > many how-to's available. If you don't like this method, don't use it. I
> > for one prefer the giffed alternative but will be more than happy to
> > admit that the benifits appear to be mostly cosmetic.
>
> I am not using gif right now, but I see two important advantages.
>
> I suppose it will be possible to put firewall rules in a gif interface.
> Imagine that you establish a tunnel with a not so trusted party, only for a
> limited purpose.
As I understand http://asherah.dyndns.org/~josh/ipsec-howto.txt, Topic
4:
"The major change that is done is the use of
the gif(4) device to get the routing correct. Note that traffic is *not*
transported through the gif(4) tunnel! Instead the IPsec code in the
kernel grabs the packets according to the specified policy and wraps them with
the correct IP addresses for the IPsec tunnel. Effectively the packets
receive new IP addresses which don't resemble a path through the gif tunnel."
... packets won't go through the gif-interface, so you cannot create
firewall-rules based on the gif-interface (ok, you can - they won't get
executed).
Alex
-- Alex Kiesel PGP Key: 0x09F4FA11 Schlund+Partner Entwicklung UnixThe problem with troubleshooting is that trouble shoots back!
To Unsubscribe: send mail to majordomo
FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]