https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474
j...@netgate.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |j...@netgate.com
--- Comment #25 from j...@netgate.com ---
The suggested corrections in this issue only solve the problem for a small
number of cases. Sacrificing filtering on enc in favor of if_ipsec isn't viable
if someone needs both policy-based and route-based IPsec tunnels to different
peers at the same time. The number of instances with a mix of both is much
larger than instances which are purely using if_ipsec.
At least with filtering on enc the firewall can filter traffic for both, just
no NAT or per-interface rules. If you disable filtering on enc, if_ipsec rules
would work but traffic would flow freely and unfiltered on enc for policy-based
tunnels, which is a security risk.
The ideal solution would allow both to coexist peacefully rather than being
forced to choose. For example, policy-based traffic would filter on enc, while
route-based traffic would not be processed by pfil on enc, but would filter on
each individual if_ipsec interface instead.
Should this issue be reopened, or should there be a new issue framing this as a
feature request instead of a bug?
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
