5 files changed, 90 insertions, 12 deletions

diff --git a/security/skip/Makefile b/security/skip/Makefile
index e4bd55a68831..cb9890b74c4f 100644
--- a/security/skip/Makefile
+++ b/security/skip/Makefile
@@ -3,7 +3,7 @@
 # Date created:         		26 November 1997
 # Whom:                 		Archie L. Cobbs <archie@whistle.com>
 #
-# $Id: Makefile,v 1.6 1999/02/26 01:01:19 archie Exp $
+# $Id: Makefile,v 1.7 1999/05/04 23:18:35 steve Exp $
 
 DISTNAME=		skip-1.0
 CATEGORIES=		security
@@ -56,4 +56,6 @@ post-patch:
 	  mv $$FILE.new $$FILE; \
 	done
 
+BROKEN=		Needs to be updated wrt. new device registration
+
 .include <bsd.port.mk>
diff --git a/security/skip/files/patch-aw b/security/skip/files/patch-aw
index 08b96fec1ba6..ed65632c3beb 100644
--- a/security/skip/files/patch-aw
+++ b/security/skip/files/patch-aw
@@ -1,18 +1,21 @@
 diff -ur --unidirectional-new-file skipsrc-1.0.orig/doc/ROADMAP work.new/doc/ROADMAP
 --- skipsrc-1.0.orig/doc/ROADMAP	Fri Oct 25 13:11:55 1996
-+++ work.new/doc/ROADMAP	Mon Mar  8 21:33:38 1999
-@@ -1,6 +1,10 @@
++++ work.new/doc/ROADMAP	Thu Jul 22 11:13:09 1999
+@@ -1,6 +1,13 @@
  This directory contains documentation and legal statements for this
  release.
  
 +README.FreeBSD			- Notes on the FreeBSD port of SKIP.
-+				  All of the other documentation is NOT
-+				  specific to FreeBSD.
++
++README.FreeBSD+NAT		- Notes on using SKIP with FreeBSD's NAT
++				  (Network Address Translation).
++
++All of the other documentation is NOT specific to FreeBSD:
 +
  00README		        - Introduction, Release notes and Build 
  			          Instructions.  Read this first.  You
  				  should read this if only for the 
-@@ -24,3 +28,4 @@
+@@ -24,3 +31,4 @@
  				  architecture and performance.
  
  usersguide.*			- User's guide in various formats
diff --git a/security/skip/files/patch-bb b/security/skip/files/patch-bb
index 32c0ccf41905..e0391db7cec4 100644
--- a/security/skip/files/patch-bb
+++ b/security/skip/files/patch-bb
@@ -1,15 +1,16 @@
 diff -ur --unidirectional-new-file skipsrc-1.0.orig/mkpkgs/freebsd/Makefile work.new/mkpkgs/freebsd/Makefile
 --- skipsrc-1.0.orig/mkpkgs/freebsd/Makefile	Fri Oct 25 13:12:32 1996
-+++ work.new/mkpkgs/freebsd/Makefile	Mon Mar  8 22:13:27 1999
-@@ -64,6 +64,7 @@
++++ work.new/mkpkgs/freebsd/Makefile	Thu Jul 22 11:03:37 1999
+@@ -64,6 +64,8 @@
  	$(BLD_DIR)/doc/SKIP_SOFTWARE_LICENSE \
  	$(BLD_DIR)/doc/BN_SOFTWARE_LICENSE \
  	$(BLD_DIR)/doc/README.PATENT \
 +	$(BLD_DIR)/doc/README.FreeBSD \
++	$(BLD_DIR)/doc/README.FreeBSD+NAT \
  	$(BLD_DIR)/doc/00README \
  	$(BLD_DIR)/doc/INSTALL \
  	$(BLD_DIR)/doc/advanced.TOPICS \
-@@ -104,10 +105,10 @@
+@@ -104,10 +106,10 @@
  	$(MKDIR) $(BSDPROTO)/bin
  	$(MKDIR) $(BSDPROTO)/doc
  
@@ -24,7 +25,7 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/mkpkgs/freebsd/Makefile work
  
  	@echo "Initializing skip/etc directory"
  	$(INSTALL) -m 0444 $(BLD_DIR)/admin/SunICG_CA_selfcert \
-@@ -124,8 +125,8 @@
+@@ -124,8 +126,8 @@
  		$(BSDPROTO)/etc/skipd.conf
  
  	@echo "Adding skip/drv to release"
@@ -35,16 +36,18 @@ diff -ur --unidirectional-new-file skipsrc-1.0.orig/mkpkgs/freebsd/Makefile work
  
  	@echo "Adding skip/bin to release"
  	$(INSTALL) -m 0755 $(BLD_DIR)/skip/tools/skiptool/none.ras \
-@@ -191,6 +192,8 @@
+@@ -191,6 +193,10 @@
  		$(BSDPROTO)/doc/BN_SOFTWARE_LICENSE
  	$(INSTALL) -m 0644 $(BLD_DIR)/doc/README.PATENT \
  		$(BSDPROTO)/doc/README.PATENT
 +	$(INSTALL) -m 0644 $(BLD_DIR)/doc/README.FreeBSD \
 +		$(BSDPROTO)/doc/README.FreeBSD
++	$(INSTALL) -m 0644 $(BLD_DIR)/doc/README.FreeBSD+NAT \
++		$(BSDPROTO)/doc/README.FreeBSD+NAT
  	$(INSTALL) -m 0644 $(BLD_DIR)/doc/00README \
  		$(BSDPROTO)/doc/00README
  	$(INSTALL) -m 0644 $(BLD_DIR)/doc/INSTALL \
-@@ -239,8 +242,8 @@
+@@ -239,8 +245,8 @@
  		$(BSDPROTO)/man/man4/raw_keys.4
  	$(INSTALL) -m 0644 $(BLD_DIR)/certs/man/print_cert.1m \
  		$(BSDPROTO)/man/man1/print_cert.1
diff --git a/security/skip/files/patch-cu b/security/skip/files/patch-cu
new file mode 100644
index 000000000000..cc2aef7a23af
--- /dev/null
+++ b/security/skip/files/patch-cu
@@ -0,0 +1,69 @@
+diff -ur --unidirectional-new-file skipsrc-1.0.orig/doc/README.FreeBSD+NAT work.new/doc/README.FreeBSD+NAT
+--- skipsrc-1.0.orig/doc/README.FreeBSD+NAT	Wed Dec 31 16:00:00 1969
++++ work.new/doc/README.FreeBSD+NAT	Thu Jul 22 11:02:18 1999
+@@ -0,0 +1,65 @@
++Using SKIP and FreeBSD's NAT (Network Address Translation) together
++-------------------------------------------------------------------
++
++Skip and NAT are two very popular strategies for building secure 
++networks with FreeBSD.  They are sometimes believed to be incompatable 
++when applied to the same interface.  They will work together, however,  
++when correctly configured.  This document addresses the reference 
++implementation of SKIP (1.0) and natd as implemented through ipfw.
++
++The key to understanding the operation of SKIP and NAT in parallel is to 
++realize that inbound packets traverse the ipfw ruleset twice - once as an 
++encapsulated packet and once as an de-encapsulated packet with the 
++original destination address restored.  Outbound packets, on the other
++hand, make a single pass in the unencapsulated state.  This understanding
++can be used to advantage in building a nomadic SKIP server.  A nomadic SKIP
++server allows any host equipped with a SKIP client to connect to the
++Internet (eg. via a dialup connection to an ISP) and then establish a
++secure connection to the nomadic SKIP server allowing full access to a
++Local Area Network.  Because the remote host may have a different IP
++address each time it connects it is known as a nomad and its KeyID is
++used for identification rather than the IP address identification normally
++used to establish authenticity.
++
++The primary difficulty in setting up a nomadic server in conjunction with 
++NAT is not in reaching in to the LAN but in returning a response to the 
++remote host.  The remote host IP address cannot, by definition, be known 
++in advance.  Further - authentication of the remote host and 
++identification of its IP address by the SKIP module does not proceed to 
++update the routing tables in the kernel.  A LAN host receiving a 
++connection request has insufficient information to reply to the remote 
++host either via a static route or by dynamic routing.
++
++This leads to the requirement that the nomadic server must be in-line 
++between the Internet and the LAN so that all packets not destined for the 
++LAN are routed to the nomadic server by the gateway address in the LAN 
++host.
++
++The second requirement is to prevent NAT from interfering.  NAT does 
++not bother the SKIP pass as the packet header is directed to the 
++nat/skiphost.  You can count the inbound SKIP packets as they 
++can be identified by the SKIP protocol (57).  Use an ipfw rule 
++before the NAT rule such as:
++
++00010 allow skip from any to any in recv fxp0
++00100 divert 8668 ip from any to any via fxp0
++
++assuming that skip is identified as 57 in /etc/protocols.
++
++A rule is required for the de-encrypted packets to allow them to be 
++forwarded to the LAN by the routing mechanism without interference from 
++NAT during the second pass:
++
++00010 allow skip from any to any in recv fxp0
++00020 allow ip from any to 192.168.0.0/24 in recv fxp0
++00100 divert 8668 ip from any to any via fxp0
++
++Now you can have nomadic hosts connect securely as part of the LAN and 
++hosts on the LAN can continue to access the Internet through NAT. Of 
++course, you have to configure the skiphost ACL correctly and setup the 
++SKIP client on the nomad to match but that's covered in the 
++documentation. 
++
++Jim Flowers <jflowers@ezo.net>
++#4 ISP on C|NET, #1 in Ohio
++
diff --git a/security/skip/pkg-plist b/security/skip/pkg-plist
index af7a545e706f..12559f8410cb 100644
--- a/security/skip/pkg-plist
+++ b/security/skip/pkg-plist
@@ -36,6 +36,7 @@ share/doc/skip/README.PATENT
 share/doc/skip/00README
 share/doc/skip/INSTALL
 share/doc/skip/README.FreeBSD
+share/doc/skip/README.FreeBSD+NAT
 share/doc/skip/advanced.TOPICS
 share/doc/skip/usersguide.txt
 share/doc/skip/usersguide.ps