From owner-freebsd-net Fri May 3 22:38:23 2002 Delivered-To: freebsd-net@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 2A2C837B419 for ; Fri, 3 May 2002 22:38:21 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g445cCx27004; Fri, 3 May 2002 22:38:12 -0700 (PDT) (envelope-from rizzo) Date: Fri, 3 May 2002 22:38:12 -0700 From: Luigi Rizzo To: Julian Elischer Cc: Ben Jackson , freebsd-net@FreeBSD.ORG Subject: Re: ip_output: why IPSEC before IPF/IPFW? Message-ID: <20020503223812.C26854@iguana.icir.org> References: <20020504031703.GA2184@pulsar.home.ben.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, May 03, 2002 at 10:10:56PM -0700, Julian Elischer wrote: ... > Thanks for bringing this up.. > I'm actually flabberghasted that it's so. I've been assuming it was the > other way around. > The advantage of having it the other way would be to be able to do other > evil > things to ipsec packets, but as it is you can totally block > all packets and ipsec will still work.. > but that's certainly not POLA.. because we tell teh world that > the ipfw works on ALL packets. except when we use ipfastforwarding, which is also anything but POLA... cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message