Re: [Shorewall-users] DNAT and UDP

Wed, 13 Dec 2017 09:46:04 -0800 

I don't see that SSH tunneling or running IPSEC in a VM as a security gain.  It
would be very complex with multiple points of failure.  If you don't trust the 
traffic
from the other endpoint, filter it with Shorewall after it's decrypted.  After 
decryption
a packet will traverse the Shorewall rules where you can DROP or REJECT if
desired.

Also, with a IPSEC using manual keying, you don't even need LibreSwan.  Look
at /usr/share/doc/initscripts/sysconfig.txt for IPSEC setup.

Bill

On 12/13/2017 11:55 AM, Tom Eastep wrote:

On 12/13/2017 08:47 AM, cac...@quantum-sci.com wrote:

On 12/12/2017 03:22 PM, cac...@quantum-sci.com wrote:

I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM)

At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse
SSH tunneled from another machine).

Rather than flanging those ports directly to the outside interface in
the router, I'm hoping for a little added protection by listening them
on localhost, and then DNATing from the outside interface.

- Does this give any added protection?

- Does DNAT even work with UDP?  If not, what can I do?

- Is there a better way?


Can anyone advise?

I have many problems already, trying to get ipsec working.  Trying to
anticipate this one.


I believe it adds additional complexity with no benefit to security. But
to answer your other question, UDP can be DNATted; that is why IPSEC Nat
Traversal encapsulates the ESP packets in UDP (port 4500).

-Tom


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to