Shorewall users - Jan 2005 - IPSEC and bridging

Hello Tom !

You write in your guide http://shorewall.net/IPSEC-2.6.html
> Warning
> 
> As of this writing, the Netfilter+ipsec and policy match 
> support are broken when used with a bridge device. The problem 
 >has been reported to the responsible Netfilter developer who has 
confirmed the problem.

I''ve set up a bridge between my wlan (hostap) and my local net. I
wanted
to use a restrictive ruleset for wlan users that only use wep encrytion 
i.e. allow only DNS and HTTP.

I preparded an ipsec tunnel on the bridge device to let wlan clients use 
  ipsec for a full access to the local net with different ruleset. I 
think I had a configuration like that running under 2.4.X Kernel, but it 
doesn''t work under 2.6.

Could you keep the list informed if there are any news about this ?

Perhaps my posting "Poor ipsec performance with policy match" has to
to
with it ?

-- 
__________________________________________________

Ralf Schenk
fon (02 41) 9 91 21-0
fax (02 41) 9 91 21-59
rs@databay.de

Databay AG
Hüttenstraße 7
D-52068 Aachen
www.databay.de

Databay - einfach machen.

_________________________________________________

Ralf Schenk wrote:
> 
> I preparded an ipsec tunnel on the bridge device to let wlan clients use
>  ipsec for a full access to the local net with different ruleset. I
> think I had a configuration like that running under 2.4.X Kernel, but it
> doesn''t work under 2.6.
> 
> Could you keep the list informed if there are any news about this ?
Sure -- I haven''t been pushing that problem because I really want the
Netfilter developers to work on getting policy match support into the
standard kernels first.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key