head	1.3;
access;
symbols
	RELEASE_6_1_0:1.2
	RELEASE_5_5_0:1.2
	RELEASE_6_0_0:1.2
	RELEASE_5_4_0:1.2
	RELEASE_4_11_0:1.2
	RELEASE_5_3_0:1.2
	RELEASE_4_10_0:1.2
	RELEASE_5_2_1:1.2
	RELEASE_5_2_0:1.2
	RELEASE_4_9_0:1.2
	RELEASE_5_1_0:1.2
	RELEASE_4_8_0:1.2
	RELEASE_5_0_0:1.2
	RELEASE_4_7_0:1.2
	RELEASE_4_6_2:1.2
	RELEASE_4_6_1:1.2
	RELEASE_4_6_0:1.2
	RELEASE_5_0_DP1:1.2
	RELEASE_4_5_0:1.2
	RELEASE_4_4_0:1.2
	RELEASE_4_3_0:1.2
	RELEASE_4_2_0:1.2
	RELEASE_4_1_1:1.2
	RELEASE_4_1_0:1.2
	RELEASE_3_5_0:1.2
	RELEASE_4_0_0:1.2
	RELEASE_3_4_0:1.1
	RELEASE_3_3_0:1.1;
locks; strict;
comment	@# @;


1.3
date	2006.04.06.13.54.44;	author archie;	state dead;
branches;
next	1.2;

1.2
date	2000.01.26.01.55.24;	author archie;	state Exp;
branches;
next	1.1;

1.1
date	99.07.22.18.37.08;	author archie;	state Exp;
branches;
next	;


desc
@@


1.3
log
@Remove the skip port. Created before there was an IPSec implementation on
FreeBSD, it is now extremely obsolete. In any case it doesn't compile. Earlier
version of this port can still be used on older versions of FreeBSD of course.
@
text
@diff -ur --unidirectional-new-file skipsrc-1.0.orig/skip/man/skipd_restart.1m work.new/skip/man/skipd_restart.1m
--- skipsrc-1.0.orig/skip/man/skipd_restart.1m	Fri Oct 25 13:12:57 1996
+++ work.new/skip/man/skipd_restart.1m	Mon Jan 24 12:35:41 2000
@@@@ -9,13 +9,6 @@@@
 You must be root to run this command.
 .SH FILES
 .P
-.SH Solaris 2.x systems:
-/etc/opt/SUNWicg/skip/skipd.pid
+/var/run/skipd.pid
 .br
-/opt/SUNWicg/bin/skipd
-.P
-.SH Other systems:
-.P
-/etc/skip/skipd.pid
-.br
-/usr/skip/bin/skipd
+@@@@PREFIX@@@@/bin/skipd
@


1.2
log
@Bash this port until it compiles under -current again.
@
text
@@


1.1
log
@Add new file README.FreeBSD+NAT to the documentation subdirectory, describing
how to run SKIP and natd together.

Submitted by:	Jim Flowers <jflowers@@ezo.net>

Mark this port as BROKEN until the device registration bit is fixed.
@
text
@d1 19
a19 69
diff -ur --unidirectional-new-file skipsrc-1.0.orig/doc/README.FreeBSD+NAT work.new/doc/README.FreeBSD+NAT
--- skipsrc-1.0.orig/doc/README.FreeBSD+NAT	Wed Dec 31 16:00:00 1969
+++ work.new/doc/README.FreeBSD+NAT	Thu Jul 22 11:02:18 1999
@@@@ -0,0 +1,65 @@@@
+Using SKIP and FreeBSD's NAT (Network Address Translation) together
+-------------------------------------------------------------------
+
+Skip and NAT are two very popular strategies for building secure 
+networks with FreeBSD.  They are sometimes believed to be incompatable 
+when applied to the same interface.  They will work together, however,  
+when correctly configured.  This document addresses the reference 
+implementation of SKIP (1.0) and natd as implemented through ipfw.
+
+The key to understanding the operation of SKIP and NAT in parallel is to 
+realize that inbound packets traverse the ipfw ruleset twice - once as an 
+encapsulated packet and once as an de-encapsulated packet with the 
+original destination address restored.  Outbound packets, on the other
+hand, make a single pass in the unencapsulated state.  This understanding
+can be used to advantage in building a nomadic SKIP server.  A nomadic SKIP
+server allows any host equipped with a SKIP client to connect to the
+Internet (eg. via a dialup connection to an ISP) and then establish a
+secure connection to the nomadic SKIP server allowing full access to a
+Local Area Network.  Because the remote host may have a different IP
+address each time it connects it is known as a nomad and its KeyID is
+used for identification rather than the IP address identification normally
+used to establish authenticity.
+
+The primary difficulty in setting up a nomadic server in conjunction with 
+NAT is not in reaching in to the LAN but in returning a response to the 
+remote host.  The remote host IP address cannot, by definition, be known 
+in advance.  Further - authentication of the remote host and 
+identification of its IP address by the SKIP module does not proceed to 
+update the routing tables in the kernel.  A LAN host receiving a 
+connection request has insufficient information to reply to the remote 
+host either via a static route or by dynamic routing.
+
+This leads to the requirement that the nomadic server must be in-line 
+between the Internet and the LAN so that all packets not destined for the 
+LAN are routed to the nomadic server by the gateway address in the LAN 
+host.
+
+The second requirement is to prevent NAT from interfering.  NAT does 
+not bother the SKIP pass as the packet header is directed to the 
+nat/skiphost.  You can count the inbound SKIP packets as they 
+can be identified by the SKIP protocol (57).  Use an ipfw rule 
+before the NAT rule such as:
+
+00010 allow skip from any to any in recv fxp0
+00100 divert 8668 ip from any to any via fxp0
+
+assuming that skip is identified as 57 in /etc/protocols.
+
+A rule is required for the de-encrypted packets to allow them to be 
+forwarded to the LAN by the routing mechanism without interference from 
+NAT during the second pass:
+
+00010 allow skip from any to any in recv fxp0
+00020 allow ip from any to 192.168.0.0/24 in recv fxp0
+00100 divert 8668 ip from any to any via fxp0
+
+Now you can have nomadic hosts connect securely as part of the LAN and 
+hosts on the LAN can continue to access the Internet through NAT. Of 
+course, you have to configure the skiphost ACL correctly and setup the 
+SKIP client on the nomad to match but that's covered in the 
+documentation. 
+
+Jim Flowers <jflowers@@ezo.net>
+#4 ISP on C|NET, #1 in Ohio
+
@

