From owner-freebsd-security  Wed Mar 21 11:41:15 2001
Delivered-To: freebsd-security@freebsd.org
Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97])
	by hub.freebsd.org (Postfix) with ESMTP id AB59537B72B
	for <freebsd-security@freebsd.org>; Wed, 21 Mar 2001 11:41:00 -0800 (PST)
	(envelope-from itojun@itojun.org)
Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1])
	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id EAA10690;
	Thu, 22 Mar 2001 04:18:00 +0900 (JST)
To: Mike Harding <mvh@ix.netcom.com>, freebsd-security@freebsd.org
In-reply-to: itojun's message of Thu, 22 Mar 2001 04:10:29 JST.
      <10518.985201829@coconut.itojun.org>
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD  90 5F B4 60 79 54 16 E2
Subject: Re: IPSEC/VPN/NAT and filtering
From: itojun@iijlab.net
Date: Thu, 22 Mar 2001 04:18:00 +0900
Message-ID: <10688.985202280@coconut.itojun.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>	see latest NetBSD source code tree, and the following URL, on how
>	we handled it (now ipfilter looks at wire format packet only).  i have
>	no environment/time to do the same on freebsd, but i can
>	say that the foundations are there in kame and netbsd tree.
>	(you can check if the packet went throught ip sec on inbound,
>	by using ipsec_gethist())
>	http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction

	i'm not sure what should be done for stream came in from divert socket.

itojun

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message