I tried NAT with SKIP without success and reasoned that as they are both
shims in the ip stack they were not being added in the correct order so I
just gave up. I prefer using SKIP on a separate (not very busy) box on the
LAN, anyway. That way the main router is firewalled to only let tunnels to
that box or traffic to the bastion host proxies in from the Internet and the
rules are very clear. You can do the same with NATD.
The skip users group isn't very chatty in general and even less so on
platform-specific questions. You can still get some good answers but I
think they're all pretty busy. Try freebsd-security or freebsd-hackers.
-----Original Message-----
From: Eric J. Schwertfeger <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Saturday, September 26, 1998 6:40 PM
Subject: Re: SKIP and natd on FreeBSD 2.2-current
>
>On Thu, 24 Sep 1998, Eric J. Schwertfeger wrote:
>
>> I've got two FreeBSD machines, one 2.2.7-RELEASE and one
>> 2.2.7-19980828-SNAP. The latter machine is a firewall with natd running
>> on it. Without configuring natd, we can establish encrypted
>> communications to our hearts content.
>>
>> However, as soon as we insert the ipfw divert rule for natd, things go
>> south fast. Basically, we've tried various configurations, and we can
get
>> one or the other to work, but not both. Even a two-rule rc.firewall
>> consisting of just the divert rule and a pass all rule kills SKIP if the
>> divirt comes first.
>
>I've narrowed the problem down. Basically, because natd is reinserting the
>unencrypted packet into the device (queue?), skip can't tell that it's a
>packet that it has already decrypted, so rejects the packet because it
>thinks that the given packet was never encrypted, and is coming from a
>host that requires encryption.
>
>Also, is anyone seeing this? I didn't get any replies, and haven't seen
>any other traffic on this list since subscribing.
>
>
