From: D. Hugh Redelmeier (hugh_at_mimosa.com)
Date: Wed Aug 14 2002 - 00:04:34 CEST
| From: Joe Patterson <jpatterson_at_asgardgroup.com>
| > The rational is that FreeS/WAN just won't work with another setting of
| > rp_filter.
|
| That seems to be a rational based on an incorrect assumption. Freeswan
| works just fine with rp_filter turned on, with a few specific exceptions.
| The case that I know of where rp_filter breaks things is when "right" is
| equal to or within "rightsubnet" (or "left", of course). But in the common
| case where you've got subnet-to-subnet tunnels with either no encryption
| gateway-gateway, or with gw-gw encryption supplied by replacing the
| freeswan-inserted route with one that sets the source as inside, then
| rp_filter does give you a security enhancement. It's better to have a
| well-thought-out firewall ruleset on both ends, but even better yet is to
| have both. (the whole defense-in-depth concept...)
The documentation of rp_filter (at least what I've found) is pathetic.
Do you have a better source?
The folk wisdom in our team is that rp_filter breaks with our use of
ipsec/physical interfaces. Your story is quite different. We need a
complete, consistent, and accurate story. Can you help us here?
Thanks for your information.
Hugh Redelmeier
hugh_at_mimosa.com voice: +1 416 482-8253
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Wed Aug 14 2002 - 01:19:43 CEST