On Tue, Jan 15, 2002 at 02:22:17PM +0200, Ari Suutari wrote:
> Hi,
>
> On Tuesday 15 January 2002 14:18, Alex Le Heux wrote:
> >
> > > Maybe one could remove this, add 'ipsec' flag to ipfw
> > > (which would use the above ipsec_gethist to match it)
> > > so the syntax would be something like this:
> > >
> > > ipfw add pass tcp from a to b ipsec setup # matches only packets that
> came
> > > via ipsec stack
> > > ipfw add pass 50 from a to b # matches packets that didn't come via ipsec
> >
> > [snip]
> >
> > This looks like it would work for most situations.
> >
> > What one would not be able to do this way is prevent spoofing. In an ideal
> > world I would also want to filter packets that come from the wrong tunnel.
>
> But doesn't ipsec stack already take care of this ? I think (hope)
> that is doesn't process the packet if it is coming from wrong tunnel
> because the packet does not match the policy.
I'm not sure if it actually drops 'wrong' packets coming from the tunnel.
I'll see if I have some time soon to look into it.
Regards,
Alex Le Heux
--
"Although the force from the engine is a lot for a motorcycle, the Earth is
not impressed. The Motorcycle and I loose the 'F' and 'm' battle and have to
consume all the 'a' in the form of sheer unadulterated acceleration."
- Ian Orr
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
