On 12/13/2017 08:47 AM, cac...@quantum-sci.com wrote: > On 12/12/2017 03:22 PM, cac...@quantum-sci.com wrote: >> >> I'm setting up IPSec (LibreSwan) to come into my router. (a CentOS VM) >> >> At 127.0.0.1 in the router are ports 500 and 4500 (which are reverse >> SSH tunneled from another machine). >> >> Rather than flanging those ports directly to the outside interface in >> the router, I'm hoping for a little added protection by listening them >> on localhost, and then DNATing from the outside interface. >> >> - Does this give any added protection? >> >> - Does DNAT even work with UDP? If not, what can I do? >> >> - Is there a better way? >> > > Can anyone advise? > > I have many problems already, trying to get ipsec working. Trying to > anticipate this one. >
I believe it adds additional complexity with no benefit to security. But to answer your other question, UDP can be DNATted; that is why IPSEC Nat Traversal encapsulates the ESP packets in UDP (port 4500). -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users