ipsec patches test: minor compilation and policy match issues
Stephen Frost
sfrost@snowman.net
Tue, 13 Jul 2004 12:10:21 -0400
--bnUi9GzdSM4S/DMA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
* Patrick McHardy (kaber@trash.net) wrote:
> Stephen Frost wrote:
> >Ahhh, now that makes much more sense. I just had 'require' before. I'm
> >getting closer it seems. Now, at least, I seem to be able to match the
> >number I put after the 'unique:' using '--reqid'. Still doesn't work
> >when using '--spi' though. Not sure that I care though, unless someone
> >can tell me a reason why I should? It's important, of course, to match
> >the right packets, since I'm doing tunneling and different remote sites
> >will have access to different things and so different firewall rules to
> >handle them...
>=20
> Ooops, right, that was the --reqid option. I need to update the manpage
> again ;) Not sure what the problem with --spi is, I will test is myself
> soon.
Okay, thanks. For --reqid... Do you think that's sufficient to base
firewall rules off of? Can it be somehow 'faked' by the
remote/potentially untrusted side? That's my main issue. If it can't
and will only match if the ipsec packet is valid and coming from that
network then I don't need to care about --spid and will just use
--reqid...
Thanks,
Stephen
--bnUi9GzdSM4S/DMA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA9AltrzgMPqB3kigRAr2EAJ0VQBzvOk3rNwE9Nm78gkwKpBaIUgCeL/oE
YvPYdlkFixCnPHm2Bim7Ikg=
=8fgq
-----END PGP SIGNATURE-----
--bnUi9GzdSM4S/DMA--