Date: Mon, 25 Nov 2002 17:46:47 +0100 From: Eric Masson <e-masson@kisoft-services.com> To: Ari Suutari <ari.suutari@syncrontech.com> Cc: greg.panula@dolaninformation.com, David Kelly <dkelly@HiWAAY.net>, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com> In-Reply-To: <200211180854.29349.ari.suutari@syncrontech.com> (Ari Suutari's message of "Mon, 18 Nov 2002 08:54:29 %2B0200") References: <200211142157.57459.dkelly@HiWAAY.net> <3DD4F4D1.83C77B0@dolaninformation.com> <200211180854.29349.ari.suutari@syncrontech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Ari" == Ari Suutari <ari.suutari@syncrontech.com> writes: Ari> This means that packets decapsulated from ipsec packets are Ari> passed again to ipfw rule processing. Things used to be like this Ari> some releases ago. Ok, I use ipf + ipsec tunnel on a tun (pppoe) interface here. Ari> Although this might break some rulesets I like it since it gives Ari> better security for some of my cases. In my case, the lan joined by the vpn use rfc1918 adresses, and if I want the vpn traffic to flow correctly, I must invalidate incoming rfc1918 address checking on the external firewall interface. I don't think it increases security ;) So Is there any fix floating around or is this definitely the right behaviour ? Eric Masson -- Discuter tranquillement avec Michel Guillou??? Je n'ai JAMAIS vu quelqu'un de plus *facho* que ce type. C'est écoeurant. -+- Rocou In GNU - T'as l'adresse des FFL, c'est pour écrire -+- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86n0nxsiko.fsf>