Subject: Re: IPsec configuration issues
To: None <tech-security@netbsd.org>
From: Simon J. Gerraty <sjg@quick.com.au>
List: tech-security
Date: 03/13/2000 22:56:19
by redmail.netbsd.org with SMTP; 13 Mar 2000 11:56:24 -0000
Date: Mon, 13 Mar 2000 22:56:19 +1100 (EST)
From: "Simon J. Gerraty" <sjg@quick.com.au>
Message-Id: <200003131156.WAA26020@zen.quick.com.au>
To: tech-security@netbsd.org
Subject: Re: IPsec configuration issues
References: <200003130330.WAA06446@sandelman.ottawa.on.ca>
> itojun> #@ in ipsec esp/transport//require
> itojun> pop3 stream tcp nowait root /usr/pkg/libexec/qpopper qpopper -s
> itojun> #@
> That insists on the server that it set this policy. That means that even
>people on the local wire, or from localhost, must encrypt. I'd rather that it
>was the clients that had this policy, and negotiated via racoon for have this
Some years ago I hacked inetd so that I could have it bind only nominated
addresses. I then run an inetd bound to ppp0's address with a config that
offered only the services I wanted to offer. A separate inetd was run bound
to localhost and the ethernet addresses.
This was long before ipfilter came a long, so I also had a simple hack
to ip_input() that would only deliver a packet to the address of the interface
it arrived on (unless it arrived on a loop back interface).
The net effect was simple and reliable. These days I just use ipfilter.
But it might be handy...
--sjg