Dmitry Pryanishnikov wrote: > > Hello! > > On Sun, 2 Apr 2006, Bjoern A. Zeeb wrote: > >>> Why not? IMHO it will be very useful feature: think about e.g. >>> traffic shaping for several different networks which are routed via >>> the same >>> ipsec tunnel. Without the enc0, you can only shape them together, e.g.: >> >> >> why not shaping on the internal interface in case this is a gateway? >> You know src and dst there too. > > > Gateway can also contain sources of traffic, and we should be able > to shape all outgoing or incoming traffic (not only transit packets, > but also locally-originated). > >> The only difference enc0 makes is for host-only-setups or if you want >> to see all your unencrpyted ipsec traffic on a gateway in one place.
As an example, I'm working on a firewall for a hospital. We have to terminate a variety of tunnels for vendors providing sensitive services; but we don't necessarily trust the vendors. I appreciate that I can filter their traffic as it passes out of the firewall into the hospital proper; but I would just as soon be able to prevent them from tickling the firewall itself. I realize using ipencap would address this; but this is not really an option when dealing with service vendors. > > > It seems to me that it's also useful for general traffic > shaping/accounting/filtering purposes. > > Sincerely, Dmitry _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
