On Mon, Mar 03, 2008 at 11:41:39AM -0500, scott wrote: > Thanks, everyone, for the user- vs kernel-land info. As soon as I read > it, I got it. Disappointed but I got it. > > ipsec/isakpmd is, I think, kernel-land and it has some very flexible > (per ipsec rule, not just daemon level, as in user or group filtering) > pf+visible tag capabilities. > > As he crosses his fingers and starts the please-please-please dance ... > Respecting the differences between sshd and ipsec implementations and, > now that I get it, their respective run space, it certainly would be > nice to see as a "futures" sshd inherit what ever may be inheritable in > these regards. >
I like henning's idea to use something like a setsockopt(2) option to assign a pf tag to a running session. I was thinking about this before to use it with some weird magic in relayd... but this is way off at the moment. > This ssh -w option is sooo very cool!!! It just needs a little more > something from the supporting cast of daemons. > I'm still waiting for someone who pops up to port it to the Windoze/cygwin version of openssh. There is a tun/tap driver in the OpenVPN package (unfortunately GPL), it could be moved into an external package and used by the port for SSH-VPN. I would only do it if I could get some compensation for immaterial damage; yuck, working on Windows is so painful. > Thx. > > > > -----Original Message----- > From: Giancarlo Razzolini <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: misc@openbsd.org > Subject: Re: pf tag goes missing post sshd tcp decapsulization > Date: Mon, 03 Mar 2008 13:02:02 -0300 > Mailer: Thunderbird 1.5.0.14pre (X11/20071023) > Delivered-To: [EMAIL PROTECTED] > > Henning Brauer escreveu: > > * Giancarlo Razzolini <[EMAIL PROTECTED]> [2008-03-03 14:35]: > >> Tags are only visible while in the kernel. Once you send them to a > >> application, unless it has the ability to set a tag, the tag will be > >> lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on > >> the packet. It would be nice if more userland applications like sshd, > >> spamd, hoststated, etc, could set tags too. > > > > actually, it is not ftp-proxy that sets tags. ftp-proxy dynamically > > inserts rules and makes THEM tag the packets. that concept doesn't > > translate all that well to the other usage cases you mention. > > > And, as the packets passes by the rules that ftp-proxy inserted, they > can be filtered on using the tag inserted with ftp-proxy. But it would > be really nice to have other applications being able to "see" tags and > set them too in the packets passing through them. But i don't see it > much as a limitation. I do use the user keyword or other means to filter > based on the application. Also, a very good thing is the ability to use > the authpf. I also think that the new chroot functionally off ssh that > is shipping with open 4.3, will help on doing this. > > My regards, > -- > Giancarlo Razzolini > Linux User 172199 > Red Hat Certified Engineer no:804006389722501 > Moleque Sem Conteudo Numero #002 > Slackware Current > OpenBSD Stable > Ubuntu 7.04 Feisty Fawn > Snike Tecnologia em Informatica > 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 > > [demime 1.01d removed an attachment of type application/pgp-signature which > had a name of signature.asc]
