File openswan.README.SUSE of Package openswan

Packaging info for openswan
---------------------------
openswan has replaced the freeswan package that was present on previous
versions of SUSE Linux Professional and Enterprise Server.

SUSE had been applying many patches to enhance the functionality of
FreeS/WAN; many of them came from SuperFreeS/WAN which was an enhanced
version of FreeS/WAN and the predecessor of OpenS/WAN.

Firewalling with 2.6 kernel IPsec
---------------------------------
In former times (2.4 kernel with KLIPS module), the use could use firewall
rules that were matching only network packets received to sent via ipsec
by specifying the interface ipsecX. This interface does not exist any more
with the in-kernel implementation of IPsec support in kernel 2.6.

To allow filtering specifically for IPsec packets, a new netfilter policy
module has been created. To find out about it, enter 
ipsec -m policy --help

You can match IPsec/non-IPsec traffic (--pol ipsec/none) by direction 
(in/out), protocol (esp/ah/ipcomp), mode (tunnel/transport), ... and do 
whatever you want with the matching packets (ACCEPT, DROP, ...) 

Here's an example that rejects all incoming packets from the interface 
$WLAN_IF that is are not IPsec ESP packets.
iptables -A FORWARD -i $WLAN_IF -m policy --dir in --pol ipsec -j ACCEPT 
iptables -A FORWARD -i $WLAN_IF -j LOG --log-prefix "NonESP: " 
iptables -A FORWARD -i $WLAN_IF -j DROP 
 
					Your Novell/SUSE team.
					http://www.suse.com/feedback/