Crist, Crist J. Clark wrote:
I don't see this. I have one rule on my external interface,block in log quick on de0 all head 2000 ... pass in quick proto esp from any to 12.234.89.252/32 group 2000 That allows in ESP traffic from any host. No other rules are required on this interface for the IPsec tunnel to work. Obviously, I need a rule on the internal interface to let the unecrypted traffic pass this interface. But since all of the interesting filtering of traffic from the outside world happens on the external interface, pass out quick on fxp0 all
I don't quite understand. Firstly, are you saying that you *only* accept IPsec and nothing else from your external interface? That is not the case with Mike or me; at least I need to use my external interface for generic Internet traffic, too, so I can't block all other traffic. Secondly, are you using ipfw2? I thought it was only available in -CURRENT or 5.0, not in 4.7-STABLE? Or am I wrong? --Pekka To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
