| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Comments:
<0> and the irc op merely said, "well, dogs have *** too right??"
<0> and thats when i knew undernet has gone to hell
<1> f3ew: no ****? really. that's why it says G-lined there?
<2> yes
<1> Comet-: heh
<1> Comet-: well, it's true. although when did dogs have time to learn to type is really a whole 'nother questino.
<0> they gave me the usual, "well if they do something bad, then email abuse@cservice.net blah blah"
<3> * keichii has quit IRC (G-lined (Auto-Klined for 86400 seconds.)) in another channel. something weird is going on ;)
<1> snarf: comcast user also?
<3> keichii was ~keichii@earth.psy.utexas.edu * Unknown - nope
<1> weird
<4> is anyone here doing ipsec on a bridge interface?
<5> siglite: I bridge ipsec, does that count?
<5> OTOH, no, I don't really bridge ipsec either.
<5> Hard to explain :)
<6> PolarWolf: lol, make up your mind :P
<7> maybe you ip bridgesec?
<5> tavi-san: Yeah, well, it's a tricky concept to explain.
<6> lol
<4> PolarWolf: I have a really ****ed up situation
<6> or sec bridge ip? :)
<5> I should document it extensively sometime, it's pretty cool
<4> PolarWolf: I have a bridging firewall
<4> PolarWolf: it uses ebtables, ebtables p***es traffic through to the kernel routing/iptables stuff and that's where the access control is
<4> PolarWolf: so I set up openswan, and I configure br0 with an IP address, and make that an ipsec gateway
<4> tunnels come up with no problem
<7> so you aren't bridging then
<6> siglite: im gonna put it on paper
<6> to understand it, it's 9 pm here
<4> smsie: yes, I am
<7> once you give it an IP and use it as a gateway, that's no longer bridging
<4> I need to do both.
<4> it's still bridging.
<5> siglite: Yeah, that works, except it's friggen tricky to "see" the traffic from the tunnels on the other side of the bridge
<4> evil-phsydev0 --------bridge-------physdev1-trusted
<4> now, the bridge has an IP, but it's not functioning as a gateway for any host in evil or trusted.
<5> siglite: What I do is; I use KLIPS, and bridge its ipsec0 interface to the other interface I want to use for further processing
<7> ah
<7> that's a brodge then, yes
<4> hehe, yeah, I suppose
<5> siglite: The advantage to that is that ipsec0 carries plain text traffic
<4> well, here's what's happening
<4> remote clients out there in "evil" connect to my management ip on "bridge" to tunnel to "trusted"
<4> and, to be honest, it works, sorta.
<4> but what's not working, is that for some reason, the --state RELATED,ESTABLISHED is broken, because the return packets are not being seen as related to the original ****
<5> siglite: Where is the actual ipsec being handled?
<6> PolarWolf: on the bridge i guess
<4> I have ipsec0=br0
<6> so that isnt really right
<8> ei
<4> it probably isn't right
<5> siglite: Do you implicitly trust everything that comes out of ipsec?
<8> how do i delete a symlink?
<4> but I'm having a helluva time trying to figure out why it's not right.
<7> rm synlink
<4> PolarWolf: eeeeeeh, no, not really. my updown scripts are allowing port-by-port proto-by-proto access even on the tunnels.
<6> because the packets are probably marked at some point with the wrong ****
<5> siglite: Ah yeah, ok, but eventually, everything that comes out of ipsec0 is trusted, right?
<4> I do trust anything that's --state ESTABLISHED,RELATED
<6> you could add another machine behind the bridge to solve this
<6> and that should solve the --state issue
<7> ewww!
<6> dont!
<4> yeah, **** that
<4> well, I might have to.
<8> smsie: is that it?
<6> i hate nitchslapping when im grumpy and tired
<6> qiqo: yeah now leave
<6> smsie: but if you feel better bitchslap me :)
<9> Damnit, can't find a photo gallery plugin for WP that I like Meh
<4> PolarWolf: anything coming from the trusted network towards evil over ipsec0 is truested.
<6> siglite: try to strip the packets and see where and how are marked or something
<4> PolarWolf: but what's happening is that the return packets (in either direction) are going over the bridge. The kernel routing stuff's never shoving the return packets into the tunnel. It just happily p***es them along the bridge.
<6> my head is kinda empty of ideas right now
<8> please help.. how do i remove symlinks?
<10> qiqo: man rm
<6> qiqo: rm <insert symlink here>
<5> siglite: What I do is the following: client == ipsec0|eth0 ---- (evil network) ---- eth0|ipsec0 <(bridge)> virtual0 == trusted network
<5> siglite: Dunno if that makes sense :)
<7> siglite: if I had to guess, I'd say that your bridging is not even allowing the packets to get as far as iptables?
<5> siglite: Anyway, I bridge ipsec0 to an interface in the trusted network
<4> smsie: no, it is. The dropped packets are being logged by my ruleset.
<8> ok thanks
<7> siglite: hmm...
<6> kopete ****s ***
<7> siglite: you aren't doing NAT are you?
<4> PolarWolf: wtf is "virtual0" ?
<7> siglite: or are you?
<4> smsie: no
<5> siglite: In my case, a tuntap interface :)
<7> siglite: then ESTABLISHED,RELAETD doesn't hit does it?
<4> smsie: correct
<4> the packets aren't related, because they came in the ipsecX, and the return stuff is going through the bridge.
<5> siglite: But it can just as well be another interface, say, the outgoing interface of your firewall into the trusted network
<6> well it cant hit on that setup, because of the bridge in between
<4> so I would have my ipsec0 interface in the bridge with physdev0 and physdev1?
<7> siglite: well, that doesn;t matter as far as how I understand conntracking stuff to work. But you aren't natting, so how are you exp[ecting conntracking to work?
<7> siglite: since contracking is part of the nat tables
<6> packets going out through the bridge would just be p***ed through
<4> smsie: contracking also happens on forward.
<5> siglite: No, physdev0 is irrelevant, ipsec0 is the important one as that's where the plaintext traffic comes out of
<6> no marking
<4> see, the bridge is physdev0-physdev1, and you're saying make ipsec0 part of that bridge?
<7> siglite: are the packets going via FORWARD? I would have thought not. They're INPUT no?
<4> or build a second bridge where physdev1 is a member of br0 and br1 ?
<5> siglite: Yeah
<4> smsie: no, they're forward
<5> siglite: Your result is that you bridge ipsec packets to physdev1
<4> smsie: the ebtables stuff pushes the packets up to iptables
<7> siglite: yeah. I didn't realise they went to forward. My bad
<11> haha
<4> PolarWolf: that sounds scary as hell
<6> fredk: you messed my head
<5> siglite: Oh, it is :)
<4> PolarWolf: mainly because I'm not understanding the packet/frame path
<6> im tired
<5> siglite: It's evil, especially as ipsec itself is pretty anal in what it accepts too
<7> Dave's the ebtables expert
<12> When I go to a restaurant and order buffalo wings, is it too much to expect to actually GET buffalo wings?
<6> what bridge?
<9> siglite: Mind if I PM?
<6> another machine?
<5> siglite: I do another trick though, the receiving end of the eventual plaintext packets has the same public address as the interface doing the actual ipsec
<5> siglite: Damn, this is hard to explain without proper diagrams :)
<6> PolarWolf: you want internal "marking?" dont you? :)
<5> tavi-san: Eh?
<7> ah, fred's firewall worked like that now that I read the scripts
<12> smsie, it was fairly nice to be honest :)
<4> PolarWolf: ok, that didn't exploide things
<7> fredk: yeah, I liked it. I ***ume you've replaced it with an appliance by now?
<5> client == ipsec0|eth0 ---- (evil network) ---- eth0|ipsec0 <(bridge)> virtual0 <> eth0 (UML server)
<13> Greetings all.
<5> It's actually more like that
<6> PolarWolf: nothing, there is a mess in my head right now
<6> but i was thinking about UML when i said that thing
<12> smsie, I use my router and switch level firewallilng
<6> brb, i need some coffee or something
<5> Basically, all "client" knows is that it has a fullblown ipsec connection with the UML server on the far end, while it really has one with the bridge
<7> fredk: cool
<13> Does anyone have any recommendations for a Scheme ? I'm currently looking at Guile and DrScheme
<5> Note that the UML server is totally unaware of anything ipsec
<7> kkaisare: emacs
<7> emacs is the answer to *anything* lispy
Return to
#linux
or
Go to some related
logs:
lastlog gentoo
#php
Agentgreen Undernet
#skype
#MissKitten
welshy apology
#skype
java 5 decompiler
kinky virtous
definition of customazation
|
|