Hi list! Some time ago there was a discussion about kernel 2.6, there were some issues and things that were not yet support (a.o. ipsec implementation of kernel 2.6). I could not find a statement on the website about the status of kernel version 2.6 support in shorewall. Does shorewall fully support kernel 2.6? I want to migrate an old RedHat box to a platform that is better supported and would like to migrate to kernel 2.6 and also I want to migrate from FreeSwan as development of that has stopped so I need to look at alternatives there (maybe OpenVPN?) Thanks! Remco
Remco Barendse wrote:> Hi list! > > Some time ago there was a discussion about kernel 2.6, there were some > issues and things that were not yet support (a.o. ipsec implementation of > kernel 2.6). >Netfilter/iptables does not support the 2.6 IPSEC implementation (although it can be made to work in simple configurations). When it does, so will Shorewall although Shorewall support will never be as good as it was for IPSEC under the 2.4 kernels.> I could not find a statement on the website about the status of kernel > version 2.6 support in shorewall. > > Does shorewall fully support kernel 2.6? >I don''t know what you mean by "fully support". If you mean "Does Shorewall contain specific support for all of the new Netfilter modules available in 2.6, then the answer is no. Shorewall 2.0.1 will add support for the ''physdev match'' module (Bridging) and the NETMAP target and I will continue to add support in future releases as time and interest allow. Do you have a particvular module in mind? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thanks for your reply and explanation! On Mon, 5 Apr 2004, Tom Eastep wrote:> Remco Barendse wrote: > > Hi list! > > > > Some time ago there was a discussion about kernel 2.6, there were some > > issues and things that were not yet support (a.o. ipsec implementation of > > kernel 2.6). > > Netfilter/iptables does not support the 2.6 IPSEC implementation > (although it can be made to work in simple configurations). When it > does, so will Shorewall although Shorewall support will never be as good > as it was for IPSEC under the 2.4 kernels.Hmmm, what did the kernel developers have in mind to use as firewalling solution instead? Or did they just work on ipsec totally forgetting about firewalling? Sorry if this is a n00b question :) My only experience with vpn/ipsec is from freeswan. If i read their website correctly I think openvpn supports kernel 2.6 and does not use ipsec. Does this mean that openvpn can be firewalled in a secure way under kernel 2.6 as opposed to ipsec?> > I could not find a statement on the website about the status of kernel > > version 2.6 support in shorewall. > > > > Does shorewall fully support kernel 2.6? > > I don''t know what you mean by "fully support". If you mean "Does > Shorewall contain specific support for all of the new Netfilter modules > available in 2.6, then the answer is no. Shorewall 2.0.1 will add > support for the ''physdev match'' module (Bridging) and the NETMAP target > and I will continue to add support in future releases as time and > interest allow. Do you have a particvular module in mind?Not really, so far i''m only interested to know whether I can replace kernel 2.4 with 2.6 without losing any of the features / thingies currently available. Basically if I can do what I did on a 2.4 setup i''m happy :)
Remco Barendse wrote:>>although Shorewall support will never be as good >>as it was for IPSEC under the 2.4 kernels. > > Hmmm, what did the kernel developers have in mind to use as firewalling > solution instead? Or did they just work on ipsec totally forgetting about > firewalling? Sorry if this is a n00b question :) My only experience with > vpn/ipsec is from freeswan.The kernel developers added in-kernel support for IPSEC and the Netfilter team are now changing Netfilter to accomodate those changes. The lack of a tunnel interface (the ipsecN network interface is no longer present) means that remote VPN networks become sub-zones of the ''net'' zone and that all ipsec traffic traverses the Netfilter chains twice (once un-encrypted and once encrypted).> > If i read their website correctly I think openvpn supports kernel 2.6 and > does not use ipsec. Does this mean that openvpn can be firewalled in a > secure way under kernel 2.6 as opposed to ipsec? >Yes -- I recommend using OpenVPN except in those cases where you absolutely must use IPSEC because of compatibility requirements.> > Not really, so far i''m only interested to know whether I can replace > kernel 2.4 with 2.6 without losing any of the features / thingies > currently available. Basically if I can do what I did on a 2.4 setup i''m > happy :) >If you are not using IPSEC then you should be happy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Remco Barendse wrote:> Thanks for your reply and explanation! >Remco, I subscribe to the shorewall list to learn how to configure shorewall/firewalls in general - not to be blasted with your personal opinion (conveniently embedded in the e-mail header) of MUA''s. Please take your neat trick elsewhere. ...and finally, GROW UP!!! Steve Cowles
On Tue, 2004-04-06 at 08:05, Cowles, Steve wrote:> I subscribe to the shorewall list to learn how to configure > shorewall/firewalls in general - not to be blasted with your personal > opinion (conveniently embedded in the e-mail header) of MUA''s. Please take > your neat trick elsewhere.Are you simply referring to the header: X-message-flag: Outlook Sucks ! ??? I had to go looking for it. So, is that what set you off? -- "An opinion is like an asshole - everybody has one." - Clint Eastwood as Harry Callahan, The Dead Pool - 1988.
Ed Greshko wrote:> > Are you simply referring to the header: > > X-message-flag: Outlook Sucks ! > > ??? > > I had to go looking for it. So, is that what set you off? >Remco is jerking Outlook users'' chains -- Outlook displays the contents of that header prominently. ENOUGH OF THIS THREAD! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net