Thanks, everyone, for the user- vs kernel-land info. As soon as I read it, I got it. Disappointed but I got it.
ipsec/isakpmd is, I think, kernel-land and it has some very flexible (per ipsec rule, not just daemon level, as in user or group filtering) pf+visible tag capabilities. As he crosses his fingers and starts the please-please-please dance ... Respecting the differences between sshd and ipsec implementations and, now that I get it, their respective run space, it certainly would be nice to see as a "futures" sshd inherit what ever may be inheritable in these regards. This ssh -w option is sooo very cool!!! It just needs a little more something from the supporting cast of daemons. Thx. -----Original Message----- From: Giancarlo Razzolini <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: pf tag goes missing post sshd tcp decapsulization Date: Mon, 03 Mar 2008 13:02:02 -0300 Mailer: Thunderbird 1.5.0.14pre (X11/20071023) Delivered-To: [EMAIL PROTECTED] Henning Brauer escreveu: > * Giancarlo Razzolini <[EMAIL PROTECTED]> [2008-03-03 14:35]: >> Tags are only visible while in the kernel. Once you send them to a >> application, unless it has the ability to set a tag, the tag will be >> lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on >> the packet. It would be nice if more userland applications like sshd, >> spamd, hoststated, etc, could set tags too. > > actually, it is not ftp-proxy that sets tags. ftp-proxy dynamically > inserts rules and makes THEM tag the packets. that concept doesn't > translate all that well to the other usage cases you mention. > And, as the packets passes by the rules that ftp-proxy inserted, they can be filtered on using the tag inserted with ftp-proxy. But it would be really nice to have other applications being able to "see" tags and set them too in the packets passing through them. But i don't see it much as a limitation. I do use the user keyword or other means to filter based on the application. Also, a very good thing is the ability to use the authpf. I also think that the new chroot functionally off ssh that is shipping with open 4.3, will help on doing this. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
