> I'll look at what you say below Bill.
>
> But keep in mind that the attacks I'm concerned about are typically buffer 
> overflows and other sideband attacks.  Directness rarely succeeds in hacking 
> these days.  There are always unknown vulns.
>
> I'm suspicioning that the reason Tom says that only the router can sponsor 
> the ipsec gateway, is that ports other than 4500 are used, although he 
> doesn't specify.  I know that at least with LibreSwan there is a setting to 
> constrain it to 4500 for this reason.  Not sure about StrongSwan, but I'll 
> look into it today.

Now I remember.  Tom said the reason an incoming remote could not access the 
rest of the LAN is something about IPsec SAs.  I couldn't understand it.

But it may be that his experience is with LibreSwan.  StrongSwan ostensibly 
does have [support for NAT 
traversal](https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal), 
and I'm trying to understand that now.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to