Serge E. Hallyn wrote: > Quoting Eric W. Biederman ([EMAIL PROTECTED]): > >>Ok. The way it looks to me is this: >> >>In the first network namespace connected to the outside world. >>We setup firewall rules to look at the security association (ipsec/ipauth) >>with the packet and depending forward that packet out different interfaces >>depending upon our security rules. >> >>Each of the different outgoing interfaces hooks to a different network >>namespace. With probably a different security level. >> >>The ip address is configured the same on the filter network namespace, >>and the destination network namespaces. >> >>The tricky bit is that the filter network namespace needs firewall rules >>in place so that the returning packets are not allowed to spoof each other. > > > OTOH, if using the ipsec based labeling rather than cipso, that should > take care of the spoofing as well. >
Using CIPSO (or any explicit labeling mechanism) should resolve the spoofing issue as well since the packets are explicitly labeled by the kernel. -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
