Magnus Hyllander wrote:> > I guess what I''m wondering is, how does Shorewall (netfilter) know which > zone a certain road warrior belongs to?I''ve just completed getting dynamic zones working with ipsec again. A dynamic IPSEC zone is defined in /etc/shorewall/zones by following the short name (first column) with ":ipsec". The code is in CVS. There are a couple of netfilter parameters that can select among the policies defined in the SAD/SPD: a) SPI b) REQID (the number after "unique" in an SPD and specified using the "-u" options in an SAD). I''ll probably allow zones to be defined in terms of these parameters eventually (once I understand them :-) ) by extending the above syntax: z:ipsec,reqid=44,spi=0x2445 or some such nonsense... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Magnus Hyllander wrote: | |> |> I guess what I''m wondering is, how does Shorewall (netfilter) know |> which zone a certain road warrior belongs to? | Now that I''ve finished the IPSEC implementation, I still have no clue how to segregate road warrors into zones (or if it is even possible). If someone who knows more about the 2.6 IPSEC implementation than I do has any ideas, I will be happy to document them. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJ5g+O/MAbZfjDLIRAvy5AJ9/MBQJn+OnuUIwHbpIFOitFCcD3wCfQmdU o5uuRbg7foGaGUvepSvt960=3HMc -----END PGP SIGNATURE-----
Tom Eastep
2004-Aug-21 19:07 UTC
Re: [Shorewall-devel] Re: Re: [Shorewall-announce] Shorewall 2.1.4
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Tom Eastep wrote: | | Magnus Hyllander wrote: | | | |> | |> I guess what I''m wondering is, how does Shorewall (netfilter) know | |> which zone a certain road warrior belongs to? | | | | Now that I''ve finished the IPSEC implementation, I still have no clue | how to segregate road warrors into zones (or if it is even possible). If | someone who knows more about the 2.6 IPSEC implementation than I do has | any ideas, I will be happy to document them. | I guess one approach might be to use one of the xxxS/Wan packages that supports the 2.6 Native IPSEC implementation and continue to use Shorewall dynamic zones. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJ51rO/MAbZfjDLIRAgGFAJ9+fsLhHDH7ZmBzguEI1tLADvofWQCgswUJ G0cSgEdlN3DXSN4lauZSIcc=8g0s -----END PGP SIGNATURE-----