search for: spadd

Hi all, I have two prodction servers with FreeBSD 5.4 (all security patches are applied). They running some services like dns, ssh, http, ftp, etc. But I woukd like to encrypt some services for some hosts with ipsec when it is accessed. For example: - DNS resolution: not encrypted. - DNS replication master-slave: encrypted by ipsec. - Telnet: encrypted by ipsec for some hosts. Deny

.... We would like to send only the syn packet of a tcp connection through certain ipsec tunnels and the rest of the packets in a connection though a simple transport mode setup. Yeah, I know it's strange but what can I say -- we do a lot of strange things. From the best I can tell, the setkey/spadd filtering capability isn't sophisticated enough to detect syn packets. Since ipfw does do this sort of thing we can use this to filter out the syn packet and using divert sockets (we have a lot of experience at writing divert sockets) we can put a wrapper around it so that it goes to a particu...