Hi,
On Tuesday 15 January 2002 14:18, Alex Le Heux wrote:
>
> > Maybe one could remove this, add 'ipsec' flag to ipfw
> > (which would use the above ipsec_gethist to match it)
> > so the syntax would be something like this:
> >
> > ipfw add pass tcp from a to b ipsec setup # matches only packets that
came
> > via ipsec stack
> > ipfw add pass 50 from a to b # matches packets that didn't come via ipsec
>
> [snip]
>
> This looks like it would work for most situations.
>
> What one would not be able to do this way is prevent spoofing. In an ideal
> world I would also want to filter packets that come from the wrong tunnel.
But doesn't ipsec stack already take care of this ? I think (hope)
that is doesn't process the packet if it is coming from wrong tunnel
because the packet does not match the policy.
Ari S.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
