All of lore.kernel.org
 help / color / mirror / Atom feed
From: Rick Kennell <kennell@ecn.purdue.edu>
To: netfilter@lists.netfilter.org
Subject: port-based filtering of IPsec packets?
Date: 23 Jul 2003 14:35:19 -0500	[thread overview]
Message-ID: <1058988918.6068.29.camel@insomnia.ecn.purdue.edu> (raw)


I'm curious how I might do port-based filtering of IPsec packets with
iptables.  Presently, filtering IPsec-encrypted packets is an
all-or-nothing proposition because iptables can't look inside an ESP
section to get the port info.  It can only filter ESP packets based on
the SPI.  Actually, I'm not even sure how I'd get iptables to do
address-based filtering of IPsec packets.

Why would I want this?  Well, I might want to do opportunistic IPsec and
allow arbitrary parties to interact with my host, but I still want to
make sure that only selected services are made available.

I noticed that a similar thing was asked over on the FreeBSD side of the
world:

   http://www.bsdforums.org/forums/showthread.php?threadid=11725

Somehow, I don't expect the iptables solution to be quite so easy.

-- 
Rick Kennell <kennell@ecn.purdue.edu>
Purdue University Department of Electrical and Computer Engineering



             reply	other threads:[~2003-07-23 19:35 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-07-23 19:35 Rick Kennell [this message]
2003-07-23 20:42 ` port-based filtering of IPsec packets? Ramin Dousti
2003-07-23 21:11   ` Garcia Ruiz
2003-07-23 21:23     ` Rick Kennell
2003-07-24  1:08       ` Ramin Dousti
2003-07-24 20:50         ` Rick Kennell
2003-07-24 21:36           ` Ramin Dousti
2003-07-23 21:30     ` James A. Pattie
2003-07-24 21:37 George Vieira
2003-07-25  6:14 ` Rick Kennell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1058988918.6068.29.camel@insomnia.ecn.purdue.edu \
    --to=kennell@ecn.purdue.edu \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.