[Spread-users] Tunnels
Mark Anacker
manacker at lizardtech.com
Wed Jan 9 11:45:46 EST 2002
I'll probably have to do something like this in the near-term, but it's a
bit of a pain. Mostly due to the overhead of encapsulating a nearly-complete
IP stack on top of the existing TCP stream. But, since I don't want
un-encrypted UDP flowing out (or in) through the firewall, I have to carry
it over TCP. Call me paranoid, but it's a bit easier to keep tabs on a
small set of TCP links than trying to filter whatever UDP packets come
along.
It would still be cleaner if the daemon itself could create a virtual
segment over TCP to another daemon.
On Wed, 9 Jan 2002 11:12:20 -0500
Theo Schlossnagle <jesus at omniti.com> wrote:
>
> On Wednesday, January 9, 2002, at 10:58 AM, Guido van Rossum wrote:
> > But the Spread FAQ says that Spread doesn't work over firewalls,
> > period. If it only uses point-to-point for long haul networks,
> > shouldn't it work if you punch the right holes in the firewalls, or
> > when using secure tunneling software like VPNs?
>
> It doesn't work over firewalls that block UDP. I have it working fine
> over a few firewalls. My VPNs have no firewalls on them...
>
> My conf looks like:
>
> SPREAD SEGMENT 1
> ---------------
> IPSEC VPN SIDE A
> ---------------
> FIREWALL SITE A
> ---------------
> INTERNET
> ---------------
> FIREWALL SITE B
> ---------------
> IPSEC VPN SIDE B
> ---------------
> SPREAD SEGMENT 2
>
> --
> Theo Schlossnagle
> 1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984
> 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7
--
Mark Anacker
Senior Software Architect
Copyright 2002, LizardTech, Inc. All rights reserved. Unauthorized
disclosure prohibited.
More information about the Spread-users
mailing list