Hi,
But I may be missing something because I can see no way in firewall rules to distinguish between the before IPSec processing hook and the after IPSec processing one. Could you clarify this for me please ?
There is a keyword "ipsec" in ipfw2, which matches if packet has emerged
from ipsec tunnel. To match packet before ipsec stack, use protocol esp/ah
in ipfw rule. To match packet after ipsec stack, use tcp/udp/ip as protocol
and "ipsec" keyword.
The problem is that this doesn't work for outgoing packets, which breaks at least statefull rules.
Ari S.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
