From owner-freebsd-net@FreeBSD.ORG Sun Apr 2 17:10:46 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB6B616A42A for ; Sun, 2 Apr 2006 17:10:46 +0000 (UTC) (envelope-from ericx_lists@vineyard.net) Received: from smtp1.vineyard.net (a1.vineyard.net [204.17.195.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DAFD43D49 for ; Sun, 2 Apr 2006 17:10:43 +0000 (GMT) (envelope-from ericx_lists@vineyard.net) Received: from localhost (loopback [127.0.0.1]) by smtp1.vineyard.net (Postfix) with ESMTP id D6F6A158188F for ; Sun, 2 Apr 2006 13:10:42 -0400 (EDT) Received: from smtp1.vineyard.net ([127.0.0.1]) by localhost (ace1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 03903-01-49 for ; Sun, 2 Apr 2006 13:10:42 -0400 (EDT) Received: from [204.17.195.104] (fortiva.vineyard.net [204.17.195.104]) by smtp1.vineyard.net (Postfix) with ESMTP id A38FB1581889 for ; Sun, 2 Apr 2006 13:10:42 -0400 (EDT) Message-ID: <44300568.8030407@vineyard.net> Date: Sun, 02 Apr 2006 13:10:00 -0400 From: "Eric W. Bates" User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <442D8E98.6050903@vineyard.net> <20060331222813.GA29047@zen.inc> <20060331223613.GD80492@spc.org> <20060402130227.G99958@atlantis.atlantis.dp.ua> <20060402113516.D76259@maildrop.int.zabbadoz.net> <20060402151039.R51461@atlantis.atlantis.dp.ua> In-Reply-To: <20060402151039.R51461@atlantis.atlantis.dp.ua> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS-ace1 at Vineyard.NET Subject: Re: tcpdump and ipsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Apr 2006 17:10:46 -0000 Dmitry Pryanishnikov wrote: > > Hello! > > On Sun, 2 Apr 2006, Bjoern A. Zeeb wrote: > >>> Why not? IMHO it will be very useful feature: think about e.g. >>> traffic shaping for several different networks which are routed via >>> the same >>> ipsec tunnel. Without the enc0, you can only shape them together, e.g.: >> >> >> why not shaping on the internal interface in case this is a gateway? >> You know src and dst there too. > > > Gateway can also contain sources of traffic, and we should be able > to shape all outgoing or incoming traffic (not only transit packets, > but also locally-originated). > >> The only difference enc0 makes is for host-only-setups or if you want >> to see all your unencrpyted ipsec traffic on a gateway in one place. As an example, I'm working on a firewall for a hospital. We have to terminate a variety of tunnels for vendors providing sensitive services; but we don't necessarily trust the vendors. I appreciate that I can filter their traffic as it passes out of the firewall into the hospital proper; but I would just as soon be able to prevent them from tickling the firewall itself. I realize using ipencap would address this; but this is not really an option when dealing with service vendors. > > > It seems to me that it's also useful for general traffic > shaping/accounting/filtering purposes. > > Sincerely, Dmitry