On Tue, 12 Oct 2004, Tibbs, Richard wrote: > OK, so I take it there are no shorewall rules that are associated with > route filtering. Is route filtering then an operation performed by the > kernel, as per RFC 1812? Deciding what routes to trust from what > sources? >
Route filtering is performed entirely within the kernel -- it causes packets to be discarded where there is no route to the packet source out through the interface which received the packet. > Also, how is this related to IPSEC? IPSEC prior to the 2.6 native implementation uses a pseudo-device (ipsecN) and an altered routing table which makes it possible for legitimate packets to be dropped by route filtering. The Native 2.6 implementation does away with special routes for IPSEC (once you get the hang of it, the new native implementation is really very easy to use with a keying daemon like racoon). You quoted me as having used IPSEC with route filtering without a problem -- turns out, I was using the pre-1.4.8 broken route filtering which wasn't filtering at all :-( > I am curious because we have had no > success with IPsec between some machines on campus. A "no route found" > message was found in a log file -- with spoofprotect=NO and no > routefilter option --. (see previous post of Erichs about no route > found). Have you disabled opportunistic encryption in your FreeS/Wan config? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html