Jason Ish writes: > > I'd vote to reverse it... > > You have to be careful when you reverse it. If you are doing NAT and > have IPsec tunnels that are supposed to tunnel your private addresses > the packets will be NAT'd before matching an IPsec policy.
ISTR that the KAME guys asked the lists about this exact question, ie., whether IPSec or ipfw should come first.. so there may be a useful discussion archived somewhere. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
