> I'll look at what you say below Bill.
>
> But keep in mind that the attacks I'm concerned about are typically buffer
> overflows and other sideband attacks. Directness rarely succeeds in hacking
> these days. There are always unknown vulns.
>
> I'm suspicioning that the reason Tom says that only the router can sponsor
> the ipsec gateway, is that ports other than 4500 are used, although he
> doesn't specify. I know that at least with LibreSwan there is a setting to
> constrain it to 4500 for this reason. Not sure about StrongSwan, but I'll
> look into it today.
Now I remember. Tom said the reason an incoming remote could not access the
rest of the LAN is something about IPsec SAs. I couldn't understand it.
But it may be that his experience is with LibreSwan. StrongSwan ostensibly
does have [support for NAT
traversal](https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal),
and I'm trying to understand that now.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users