[hipl-users] Re: Hip Firewall questions
- From: Miika Komu <miika.komu@xxxxxxx>
- To: hipl-users@xxxxxxxxxxxxx
- Date: Thu, 16 Oct 2008 11:30:27 +0300
jgilllor@xxxxxxxxx wrote:
Hi,
Hi :)
First of all, I should say that I am referring about the hip-firewall
openwrt version. I dont know if it is at the same level of development
as the main branch.
for your purposes, the main branch is basically up-to-date with openwrt
branch. There are more bug fixes on the main branch.
Well, I am trying to do some measureemnts with iperf but I have some
problems.
It seems that when I put some rules in the /etc/hip/firewall_conf it
doesn't work. I put this two rules:
FORWARD -scr_hit HIT1 -dst_hit HIT2 ACCEPT
FORWARD -scr_hit HIT2 -dst_hit HIT2 ACCEPT
It is "-src_hit", not "-scr_hit".
When I try the hip test between the two hosts, it doesn't work.
If I execute hipfw -F, the test works fine.
-F deactivates connection tracking completely. All HIP/ESP packets are
allowed.
If I execute hipfw -A, the test doesn't work. It should work, right?
Yes. This one enables connection tracking, but all HIP/ESP packets are
still allowed.
Maybe I am missing something, because If I analyze the traffic between
the two hosts it seems that the connection uses the ipv4 address instead
of the HIT, I don't know why...because I use iperf -c HIT1 -V, and it
should use the IPv6 address.
The use of HIP does not imply that the packets on the wire are IPv6. The
encapsulation depends on what you have configured to /etc/hosts for the
peer (IPv4 or IPv6) address. I would think that you are still seeing HIP
and ESP packets, right?
Other related posts:
