Re: pf tag goes missing post sshd tcp decapsulization

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: scott <8f27e956@...>

To: <misc@...>

Subject: Re: pf tag goes missing post sshd tcp decapsulization

Date: Monday, March 3, 2008 - 12:41 pm

Thanks, everyone, for the user- vs kernel-land info.  As soon as I read
it, I got it.  Disappointed but I got it.

ipsec/isakpmd is, I think, kernel-land and it has some very flexible
(per ipsec rule, not just daemon level, as in user or group filtering)
pf+visible tag capabilities.

As he crosses his fingers and starts the please-please-please dance  ...
Respecting the differences between sshd and ipsec implementations and,
now that I get it, their respective run space, it certainly would be
nice to see as a "futures" sshd inherit what ever may be inheritable in
these regards. 

This ssh -w option is sooo very cool!!!  It just needs a little more
something from the supporting cast of daemons.

Thx.



-----Original Message-----
From: Giancarlo Razzolini <linux-fan@onda.com.br>
Reply-To: linux-fan@onda.com.br
To: misc@openbsd.org
Subject: Re: pf tag goes missing post sshd tcp decapsulization
Date: Mon, 03 Mar 2008 13:02:02 -0300
Mailer: Thunderbird 1.5.0.14pre (X11/20071023)
Delivered-To: 8f27e956@gmail.com

Henning Brauer escreveu:
quoted text> * Giancarlo Razzolini <linux-fan@onda.com.br> [2008-03-03 14:35]:
>> Tags are only visible while in the kernel. Once you send them to a
>> application, unless it has the ability to set a tag, the tag will be
>> lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on
>> the packet. It would be nice if more userland applications like sshd,
>> spamd, hoststated, etc, could set tags too.
>
> actually, it is not ftp-proxy that sets tags. ftp-proxy dynamically
> inserts rules and makes THEM tag the packets. that concept doesn't
> translate all that well to the other usage cases you mention.
>
And, as the packets passes by the rules that ftp-proxy inserted, they
can be filtered on using the tag inserted with ftp-proxy. But it would
be really nice to have other applications being able to "see" tags and
set them too in the packets passing through them. But i don't see it
much as a limitation. I do use the user keyword or other means to filter
based on the application. Also, a very good thing is the ability to use
the authpf. I also think that the new chroot functionally off ssh that
is shipping with open 4.3, will help on doing this.

My regards,
--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 7.04 Feisty Fawn
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

pf tag goes missing post sshd tcp decapsulization, scott, (Mon Mar 3, 5:00 am)

Re: pf tag goes missing post sshd tcp decapsulization, Giancarlo Razzolini, (Mon Mar 3, 9:30 am)

Re: pf tag goes missing post sshd tcp decapsulization, Henning Brauer, (Mon Mar 3, 11:19 am)

Re: pf tag goes missing post sshd tcp decapsulization, Giancarlo Razzolini, (Mon Mar 3, 12:02 pm)

Re: pf tag goes missing post sshd tcp decapsulization, scott, (Mon Mar 3, 12:56 pm)

Re: pf tag goes missing post sshd tcp decapsulization, Giancarlo Razzolini, (Mon Mar 3, 2:02 pm)

Re: pf tag goes missing post sshd tcp decapsulization, scott, (Mon Mar 3, 12:41 pm)

Re: pf tag goes missing post sshd tcp decapsulization, Reyk Floeter, (Tue Mar 4, 6:15 am)

Re: pf tag goes missing post sshd tcp decapsulization, Konrad, (Thu Mar 6, 2:08 am)

Re: pf tag goes missing post sshd tcp decapsulization , Theo de Raadt, (Thu Mar 6, 2:35 am)

Re: pf tag goes missing post sshd tcp decapsulization, Henning Brauer, (Mon Mar 3, 9:08 am)

Navigation

Mail archive search

Popular discussions


linux-kernel:
Arjan van de Ven	[patch] Add basic sanity checks to the syscall execution patch
Matthew Wilcox	Re: AIM7 40% regression with 2.6.26-rc1
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
git:
Andy Whitcroft	Re: VCS comparison table
David	User's mailing list? And multiple cherry pick
Scott Chacon	Git Community Book
Mark Levedahl	Re: [PATCH] Teach remote machinery about remotes.default config variable
openbsd-misc:
Marco Peereboom	Re: Real men don't attack straw men
Richard Stallman	Real men don't attack straw men
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Tony Abernethy	Re: What is our ultimate goal??
linux-netdev:
Arjan van de Ven	Re: [GIT]: Networking
Jeff Garzik	Re: [bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin"
Denys Fedoryshchenko	packetloss, on e1000e worse than r8169?
Radu Rendec	Endianness problem with u32 classifier hash masks

Latest forum posts


trouble with my Asus Mainboard	1 hour ago	Linux kernel
How to exec user process in kernel mode.	2 days ago	Linux kernel
[IPSEC]IPSEC_MANUAL_REQID_MAX	3 days ago	Linux kernel
help in UDP catching module..	3 days ago	Linux kernel
Is there anything like Real-time drivers?	5 days ago	Linux general
ns16550 serail console in Linux 2.6.19	5 days ago	Linux general
what class should i use to register my devices	5 days ago	Linux kernel
reset bios pasword toshiba	6 days ago	Hardware
Analysis of Process Scheduling	1 week ago	Linux kernel
RT Kernel and SSH Server Panics	1 week ago	Linux kernel

Show all forums...

Recent Tags

Tux3 filesystem -rc 2.6.27-rc5 Daniel Phillips Linux 2.6.27 Linus Torvalds -rc5 -rc4 quote Andrew Morton H. Peter Anvin

more tags

Colocation donated by:

Online users

Syndicate