From owner-freebsd-net  Fri Jan  3  9:21:39 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 451C137B401
	for <freebsd-net@FreeBSD.ORG>; Fri,  3 Jan 2003 09:21:38 -0800 (PST)
Received: from math.teaser.net (math.teaser.net [213.91.2.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1EFB843EC5
	for <freebsd-net@FreeBSD.ORG>; Fri,  3 Jan 2003 09:21:37 -0800 (PST)
	(envelope-from e-masson@kisoft-services.com)
Received: from notbsdems.nantes.kisoft-services.com (nantes.kisoft-services.com [193.56.60.243])
	by math.teaser.net (Postfix) with ESMTP
	id BE6F96C80B; Fri,  3 Jan 2003 18:21:30 +0100 (CET)
Received: by notbsdems.nantes.kisoft-services.com (Postfix, from userid 1001)
	id 4B50059422; Fri,  3 Jan 2003 18:21:32 +0100 (CET)
To: Pekka Nikander <pekka.nikander@nomadiclab.com>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: IPsec / ipfw interaction in 4.7-STABLE: a proposed change
From: Eric Masson <e-masson@kisoft-services.com>
In-Reply-To: <3E15604B.3040505@nomadiclab.com> (Pekka Nikander's message of
 "Fri, 03 Jan 2003 12:04:59 +0200")
References: <3E144753.7020905@nomadiclab.com> <86k7hnz4hp.fsf@notbsdems.nantes.kisoft-services.com>
 <3E15604B.3040505@nomadiclab.com>
X-Operating-System: FreeBSD 4.7-STABLE i386
Date: Fri, 03 Jan 2003 18:21:31 +0100
Message-ID: <86fzsa87z8.fsf@notbsdems.nantes.kisoft-services.com>
User-Agent: Gnus/5.090008 (Oort Gnus v0.08) XEmacs/21.4 (Common Lisp,
 i386--freebsd)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

>>>>> "Pekka" == Pekka Nikander <pekka.nikander@nomadiclab.com> writes:

 Pekka> Well, IMHO the best way would be to have a separate interface
 Pekka> for each tunnel end point. That would allow most fine grained
 Pekka> control, and would be easiest to understand.

I was thinking of a virtual interface pour each incoming tunnel
endpoint, nothing more.

The problem, as pointed in another post, would be the numbering of these
interfaces (from a filtering point of view).

From a previous discussion in -security, a tunnel can be used in odd
ways, and mixing with routing isn't a good idea :
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=fa.llg8ghv.1l0skqv%40ifi.uio.no

Eric Masson

-- 
 70% de frjv sont des newbies ? Et une fois qu'ils ne le sont plus que
 font-ils ? Ils quittent frjv parce que c'est trop à chier ? Parce que
 s'ils y restent et gardent leur comportement, ça devient des neuneux.
 -+- XB in: <http://www.le-gnu.net> - Tu seras un neuneu mon fils -+-

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message