On Thu, 3 Jul 2014, Phillip Hallam-Baker wrote:
One long term consequence of this obstructionism is that nobody actually
deploys what IETF claims is the IPSEC standard. Microsoft and others
implement but every company I have been at with a VPN has required use of a
plug-in to get round the intentional NAT-sabotage etc.
RFC 3947 was published in 2005. I hope you are using more up to date
IPsec implementations.
At the moment a firewall can't do the right thing because it does not have the
right information. Giving it the right information is a necessary but
not sufficient condition to doing the right thing.
This is one of the functions I support in Omnibroker. When an application wants
to open an inbound or outbound network connection it makes a request
to the Omnibroker which then performs the necessary configuration and supplies
all the necessary information to make the service connection.
Ask how well that went for firewalld in fedora :P
Paul