Date: Fri, 3 May 2002 22:38:12 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Julian Elischer <julian@elischer.org> Cc: Ben Jackson <ben@ben.com>, freebsd-net@FreeBSD.ORG Subject: Re: ip_output: why IPSEC before IPF/IPFW? Message-ID: <20020503223812.C26854@iguana.icir.org> In-Reply-To: <Pine.BSF.4.21.0205032207040.85737-100000@InterJet.elischer.org> References: <20020504031703.GA2184@pulsar.home.ben.com> <Pine.BSF.4.21.0205032207040.85737-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 03, 2002 at 10:10:56PM -0700, Julian Elischer wrote: ... > Thanks for bringing this up.. > I'm actually flabberghasted that it's so. I've been assuming it was the > other way around. > The advantage of having it the other way would be to be able to do other > evil > things to ipsec packets, but as it is you can totally block > all packets and ipsec will still work.. > but that's certainly not POLA.. because we tell teh world that > the ipfw works on ALL packets. except when we use ipfastforwarding, which is also anything but POLA... cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020503223812.C26854>