Ari Suutari wrote: > > Hi, > >> With the changes you can chose whether you want to do firewallig before > >> ipsec processing or after but not both. > > > > I am unsure if I get that right but that's what the ipsec flag in > > ipfw2 is for and it is heavily used to filter ipsec encrypted traffic > > and the same traffic, tagged to come from an ipsec tunnel, afterwards. > > > > If your changes won't handle this you will break too many IPSec GWs I > > think. > > > > At least I do filtering both before and after ipsec. Typical case > is that before ipsec I allow only esp from peer's ipsec box, after > ipsec I allow some tcp ports if (and only if) the packet has > originated from ipsec (I use ipsec flag). > > So being able to filter traffic both before and after is necessary, > it is very well possible right now, if one uses IPSEC_FILTERGIF > kernel option and ipfw "ipsec" flag. Please don't break this, it has > been broken > more or less in various releases (or at least there have been > differences how firewalling works with ipsec stuff). > > However, feel free to fix the remaining problems for *outgoing* > traffic.
All I intend to provide is a way to specify whether you want IPSEC before or after pfil_hooks. By default it will be as it is today and work exactly the same. -- Andre _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
