Hi Dennis, On 07/04/16 12:53, Dennis Jacobfeuerborn wrote: > > I'm not sure what your objection is to creating the same rules > permanently (which the page seems to call "global") that the updown > script create dynamically anyway? >
The concern is to open a potential door for an intruder. The default _updown script creates very "picky" rules, giving just a single IP address on eth0 access to eth1. Sample: : Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4723 548K ACCEPT all -- eth0 * 172.19.97.60 172.19.96.0/19 policy match dir in pol ipsec reqid 275 proto 50 9880 11M ACCEPT all -- * eth0 172.19.96.0/19 172.19.97.60 policy match dir out pol ipsec reqid 275 proto 50 : I wouldn't like to replace the single IP address on eth0 by large subnets without need. The problem is that eth0 has been reused for the decoded traffic. The iptables entries about eth0 affect both the connection to the internet as well as the connection to the road warriors. If we want to let the road warriors in but keep the rest of the internet out, then we end up with separate iptables entries for each road warrior. If there would be a dedicated network interface xyz0 for decoded traffic without connection to eth0, then the iptables entries for the connection to the road warriors' laptops could be kept separate from the internet connection. We could open 172.19.97.0/24 on xyz0 without opening this network on eth0. Regards Harri _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
