From: Aidas K. <a.k...@gm...> - 2006-06-02 13:37:37
|
Maximiliano Kolus wrote: > > First, to make it clear: I had RTFM and i still has this doubt. Im > connecting two networks (one of them is a branch office) using > racoon/ipsectools and i see that racoon generates "fwd" policies without > any user intervention nor request. > > Im trying to figure out what are those policies for. I saw someone > saying it was something like the FORWARD policy on iptables, but i dont > see how it makes sense. My current policy on the branch office is: Maximiliano, You'd better ask in linux kernel mailing list WHY linux kernel things are done the way they are. Ipsec-tools just tries to use facilites which kernel provides. When these facilities mandate something special we try our best to map standard to these special requirements. > > spdadd 172.16.10.0/24 172.16.0.0/27 any -P out ipsec esp/tunnel/201.254.100.xxx- > 200.51.44.xxx/require; > spdadd 172.16.0.0/27 172.16.10.0/24 any -P in ipsec esp/tunnel/200.51.44.xxx- > 201.254.100.xxx/require; > > It's my understanding that, for example, the first policy says > "packets from the 172.16.0.0/24 network to the 172.16.0.0/27 network > are required to go out encrypted using ESP blah blah, yada yada". > This policy would cover a packet from 172.16.10.92 to 192.168.1.1 . > So, why would i need a fwd policy? The policy > should cover both networks, not host->network. > > PS: I've read the "RFC vs Linux kernel semantics"... i understand what > it says... but then what is the "in" policy for on linux kernels? > If you think that these fwd policies are not necessary, go ahead and delete them. But, if you use modern kernel, you'll find out, that the trafic from 172.16.10.92 to 192.168.1.1 will stop flowing. It was long time since I looked to this matter in depth, so may make mistakes, but if my memory doesn't fail me, then - if there is the in policy for some packet, then that packet must be ipsec-processed the way policy requires; otherwise packet will be droped; - if packet passed in policy, but has to be forwarded by this host, then kernel consults fwd policy; if there is no matching fwd policy, packet is droped. My advice is give only rfc policies to ipsec-tools, and ignore fwd policies when you see them in policy dumps. Please note that fwd policies and FORWARD iptables table are two completely separate things. Yes, both can be used to limit and/or change traffic, both are taken into account, but they are in no way directly related (if you change one, other does not change automatically). -- Aidas Kasparas IT administrator GM Consult Group, UAB |