Date: Sun, 12 Mar 2017 01:16:19 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Hooman Fazaeli <hoomanfazaeli@gmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: ipsec with ipfw Message-ID: <20170311221619.GU15630@zxy.spb.ru> In-Reply-To: <58C46AE0.7050408@gmail.com> References: <58C46AE0.7050408@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 12, 2017 at 12:53:44AM +0330, Hooman Fazaeli wrote: > Hi, > > As you know the ipsec/setkey provide limited syntax to define security > policies: only a single subnet/host, protocol number and optional port > may be used to specify traffic's source and destination. > > I was thinking about the idea of using ipfw as the packet selector for ipsec, > much like it is used with dummeynet. Something like: > > ipfw add 100 ipsec 2 tcp from <lan-table> to <remote-servers-table> 80,443,110,139 > > What do you think? Are you interested in such a feature? > Is it worth the effort? What are the implementation challenges? security policies is subject of ike protocol exchange, do you plened to extend this protocol too?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170311221619.GU15630>