From owner-freebsd-hackers@FreeBSD.ORG Sun Aug 13 16:30:52 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A99F16A4DA for ; Sun, 13 Aug 2006 16:30:52 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9705643D49 for ; Sun, 13 Aug 2006 16:30:51 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id C7C4C46C96; Sun, 13 Aug 2006 12:30:50 -0400 (EDT) Date: Sun, 13 Aug 2006 17:30:50 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: mal content In-Reply-To: <8e96a0b90608120936q67a5365vcc97217b44a272c0@mail.gmail.com> Message-ID: <20060813171432.C45647@fledge.watson.org> References: <8e96a0b90608120936q67a5365vcc97217b44a272c0@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-hackers@freebsd.org Subject: Re: Packet filtering on tap interfaces X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Aug 2006 16:30:52 -0000 On Sat, 12 Aug 2006, mal content wrote: > Can tap interfaces reliably be filtered? Max has provided a detailed answer, but I wanted to answer a more general question here: a tap interface plugs into the normal kernel network interface and ethernet layers, and as such, packets sent and received over tap interfaces are processed entirely normally with respect to firewall services, etc. In general, if a network service, such as IPSEC or a firewall, would work for a physical interface, it will work for a tap interface. Robert N M Watson Computer Laboratory University of Cambridge