diff options
| author | Archie Cobbs <archie@FreeBSD.org> | 1999-07-22 18:37:09 +0000 |
|---|---|---|
| committer | Archie Cobbs <archie@FreeBSD.org> | 1999-07-22 18:37:09 +0000 |
| commit | 892a9dd0983c204b04620393342b210a66f75f45 (patch) | |
| tree | c03b638485a825223f4a4e0ab483126d4f338abb /security/skip | |
| parent | Upgrade to nmap-2.2-BETA4. The beta includes a very nice GUI (xnmap) that (diff) | |
Add new file README.FreeBSD+NAT to the documentation subdirectory, describing
how to run SKIP and natd together.
Submitted by: Jim Flowers <jflowers@ezo.net>
Mark this port as BROKEN until the device registration bit is fixed.
Notes
Notes:
svn path=/head/; revision=20319
Diffstat (limited to 'security/skip')
| -rw-r--r-- | security/skip/Makefile | 4 | ||||
| -rw-r--r-- | security/skip/files/patch-aw | 13 | ||||
| -rw-r--r-- | security/skip/files/patch-bb | 15 | ||||
| -rw-r--r-- | security/skip/files/patch-cu | 69 | ||||
| -rw-r--r-- | security/skip/pkg-plist | 1 |
5 files changed, 90 insertions, 12 deletions
diff --git a/security/skip/Makefile b/security/skip/Makefile index e4bd55a68831..cb9890b74c4f 100644 --- a/security/skip/Makefile +++ b/security/skip/Makefile @@ -3,7 +3,7 @@ # Date created: 26 November 1997 # Whom: Archie L. Cobbs <archie@whistle.com> # -# $Id: Makefile,v 1.6 1999/02/26 01:01:19 archie Exp $ +# $Id: Makefile,v 1.7 1999/05/04 23:18:35 steve Exp $ DISTNAME= skip-1.0 CATEGORIES= security @@ -56,4 +56,6 @@ post-patch: mv $$FILE.new $$FILE; \ done +BROKEN= Needs to be updated wrt. new device registration + .include <bsd.port.mk> diff --git a/security/skip/files/patch-aw b/security/skip/files/patch-aw index 08b96fec1ba6..ed65632c3beb 100644 --- a/security/skip/files/patch-aw +++ b/security/skip/files/patch-aw @@ -1,18 +1,21 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/doc/ROADMAP work.new/doc/ROADMAP --- skipsrc-1.0.orig/doc/ROADMAP Fri Oct 25 13:11:55 1996 -+++ work.new/doc/ROADMAP Mon Mar 8 21:33:38 1999 -@@ -1,6 +1,10 @@ ++++ work.new/doc/ROADMAP Thu Jul 22 11:13:09 1999 +@@ -1,6 +1,13 @@ This directory contains documentation and legal statements for this release. +README.FreeBSD - Notes on the FreeBSD port of SKIP. -+ All of the other documentation is NOT -+ specific to FreeBSD. ++ ++README.FreeBSD+NAT - Notes on using SKIP with FreeBSD's NAT ++ (Network Address Translation). ++ ++All of the other documentation is NOT specific to FreeBSD: + 00README - Introduction, Release notes and Build Instructions. Read this first. You should read this if only for the -@@ -24,3 +28,4 @@ +@@ -24,3 +31,4 @@ architecture and performance. usersguide.* - User's guide in various formats diff --git a/security/skip/files/patch-bb b/security/skip/files/patch-bb index 32c0ccf41905..e0391db7cec4 100644 --- a/security/skip/files/patch-bb +++ b/security/skip/files/patch-bb @@ -1,15 +1,16 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/mkpkgs/freebsd/Makefile work.new/mkpkgs/freebsd/Makefile --- skipsrc-1.0.orig/mkpkgs/freebsd/Makefile Fri Oct 25 13:12:32 1996 -+++ work.new/mkpkgs/freebsd/Makefile Mon Mar 8 22:13:27 1999 -@@ -64,6 +64,7 @@ ++++ work.new/mkpkgs/freebsd/Makefile Thu Jul 22 11:03:37 1999 +@@ -64,6 +64,8 @@ $(BLD_DIR)/doc/SKIP_SOFTWARE_LICENSE \ $(BLD_DIR)/doc/BN_SOFTWARE_LICENSE \ $(BLD_DIR)/doc/README.PATENT \ + $(BLD_DIR)/doc/README.FreeBSD \ ++ $(BLD_DIR)/doc/README.FreeBSD+NAT \ $(BLD_DIR)/doc/00README \ $(BLD_DIR)/doc/INSTALL \ $(BLD_DIR)/doc/advanced.TOPICS \ -@@ -104,10 +105,10 @@ +@@ -104,10 +106,10 @@ $(MKDIR) $(BSDPROTO)/bin $(MKDIR) $(BSDPROTO)/doc @@ -24,7 +25,7 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/mkpkgs/freebsd/Makefile work @echo "Initializing skip/etc directory" $(INSTALL) -m 0444 $(BLD_DIR)/admin/SunICG_CA_selfcert \ -@@ -124,8 +125,8 @@ +@@ -124,8 +126,8 @@ $(BSDPROTO)/etc/skipd.conf @echo "Adding skip/drv to release" @@ -35,16 +36,18 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/mkpkgs/freebsd/Makefile work @echo "Adding skip/bin to release" $(INSTALL) -m 0755 $(BLD_DIR)/skip/tools/skiptool/none.ras \ -@@ -191,6 +192,8 @@ +@@ -191,6 +193,10 @@ $(BSDPROTO)/doc/BN_SOFTWARE_LICENSE $(INSTALL) -m 0644 $(BLD_DIR)/doc/README.PATENT \ $(BSDPROTO)/doc/README.PATENT + $(INSTALL) -m 0644 $(BLD_DIR)/doc/README.FreeBSD \ + $(BSDPROTO)/doc/README.FreeBSD ++ $(INSTALL) -m 0644 $(BLD_DIR)/doc/README.FreeBSD+NAT \ ++ $(BSDPROTO)/doc/README.FreeBSD+NAT $(INSTALL) -m 0644 $(BLD_DIR)/doc/00README \ $(BSDPROTO)/doc/00README $(INSTALL) -m 0644 $(BLD_DIR)/doc/INSTALL \ -@@ -239,8 +242,8 @@ +@@ -239,8 +245,8 @@ $(BSDPROTO)/man/man4/raw_keys.4 $(INSTALL) -m 0644 $(BLD_DIR)/certs/man/print_cert.1m \ $(BSDPROTO)/man/man1/print_cert.1 diff --git a/security/skip/files/patch-cu b/security/skip/files/patch-cu new file mode 100644 index 000000000000..cc2aef7a23af --- /dev/null +++ b/security/skip/files/patch-cu @@ -0,0 +1,69 @@ +diff -ur --unidirectional-new-file skipsrc-1.0.orig/doc/README.FreeBSD+NAT work.new/doc/README.FreeBSD+NAT +--- skipsrc-1.0.orig/doc/README.FreeBSD+NAT Wed Dec 31 16:00:00 1969 ++++ work.new/doc/README.FreeBSD+NAT Thu Jul 22 11:02:18 1999 +@@ -0,0 +1,65 @@ ++Using SKIP and FreeBSD's NAT (Network Address Translation) together ++------------------------------------------------------------------- ++ ++Skip and NAT are two very popular strategies for building secure ++networks with FreeBSD. They are sometimes believed to be incompatable ++when applied to the same interface. They will work together, however, ++when correctly configured. This document addresses the reference ++implementation of SKIP (1.0) and natd as implemented through ipfw. ++ ++The key to understanding the operation of SKIP and NAT in parallel is to ++realize that inbound packets traverse the ipfw ruleset twice - once as an ++encapsulated packet and once as an de-encapsulated packet with the ++original destination address restored. Outbound packets, on the other ++hand, make a single pass in the unencapsulated state. This understanding ++can be used to advantage in building a nomadic SKIP server. A nomadic SKIP ++server allows any host equipped with a SKIP client to connect to the ++Internet (eg. via a dialup connection to an ISP) and then establish a ++secure connection to the nomadic SKIP server allowing full access to a ++Local Area Network. Because the remote host may have a different IP ++address each time it connects it is known as a nomad and its KeyID is ++used for identification rather than the IP address identification normally ++used to establish authenticity. ++ ++The primary difficulty in setting up a nomadic server in conjunction with ++NAT is not in reaching in to the LAN but in returning a response to the ++remote host. The remote host IP address cannot, by definition, be known ++in advance. Further - authentication of the remote host and ++identification of its IP address by the SKIP module does not proceed to ++update the routing tables in the kernel. A LAN host receiving a ++connection request has insufficient information to reply to the remote ++host either via a static route or by dynamic routing. ++ ++This leads to the requirement that the nomadic server must be in-line ++between the Internet and the LAN so that all packets not destined for the ++LAN are routed to the nomadic server by the gateway address in the LAN ++host. ++ ++The second requirement is to prevent NAT from interfering. NAT does ++not bother the SKIP pass as the packet header is directed to the ++nat/skiphost. You can count the inbound SKIP packets as they ++can be identified by the SKIP protocol (57). Use an ipfw rule ++before the NAT rule such as: ++ ++00010 allow skip from any to any in recv fxp0 ++00100 divert 8668 ip from any to any via fxp0 ++ ++assuming that skip is identified as 57 in /etc/protocols. ++ ++A rule is required for the de-encrypted packets to allow them to be ++forwarded to the LAN by the routing mechanism without interference from ++NAT during the second pass: ++ ++00010 allow skip from any to any in recv fxp0 ++00020 allow ip from any to 192.168.0.0/24 in recv fxp0 ++00100 divert 8668 ip from any to any via fxp0 ++ ++Now you can have nomadic hosts connect securely as part of the LAN and ++hosts on the LAN can continue to access the Internet through NAT. Of ++course, you have to configure the skiphost ACL correctly and setup the ++SKIP client on the nomad to match but that's covered in the ++documentation. ++ ++Jim Flowers <jflowers@ezo.net> ++#4 ISP on C|NET, #1 in Ohio ++ diff --git a/security/skip/pkg-plist b/security/skip/pkg-plist index af7a545e706f..12559f8410cb 100644 --- a/security/skip/pkg-plist +++ b/security/skip/pkg-plist @@ -36,6 +36,7 @@ share/doc/skip/README.PATENT share/doc/skip/00README share/doc/skip/INSTALL share/doc/skip/README.FreeBSD +share/doc/skip/README.FreeBSD+NAT share/doc/skip/advanced.TOPICS share/doc/skip/usersguide.txt share/doc/skip/usersguide.ps |