This statement sounds like you think that if your IPSEC is compromised, the h@x0r will now have a session on the system (VM or native). Even if someone could inject traffic, it would be just a decrypted packet with a SRC= and a DST= that still needs to be routed. That packet must pass the rules. VM or not, how do you determine a packet is invalid?
If you're specific in tunnels with the GATEWAY column, a foreign packet will not be accepted. #TYPE ZONE GATEWAY(S) GATEWAY # ZONE(S) ?COMMENT siteA tunnel ipsec inet xxx.yyy.zzz.123 Also, a foreign esp packet can also be dropped in the mangle PREROUTING chain: CONTINUE:P xxx.yyy.zzz.123 this.fw.addr.456 esp # my pal siteA DROP:P - - esp # I don't know you!! Bill On 12/14/2017 5:55 PM, cac...@quantum-sci.com wrote:
Thanks. The reason I have this structure in mind is, if ipsec is compromised, I want the ne'er-do-well to end up in a benign VM, -not- the router.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
