Julian Elischer <[EMAIL PROTECTED]> writes: > Thanks for bringing this up.. > I'm actually flabberghasted that it's so. I've been assuming it was the > other way around. > The advantage of having it the other way would be to be able to do other > evil > things to ipsec packets, but as it is you can totally block > all packets and ipsec will still work.. > but that's certainly not POLA.. because we tell teh world that > the ipfw works on ALL packets. > > I'd vote to reverse it...
You have to be careful when you reverse it. If you are doing NAT and have IPsec tunnels that are supposed to tunnel your private addresses the packets will be NAT'd before matching an IPsec policy. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
