From owner-freebsd-net  Sat May  4 16: 1:18 2002
Delivered-To: freebsd-net@freebsd.org
Received: from syn.codemonkey.net (h24-76-106-61.vc.shawcable.net [24.76.106.61])
	by hub.freebsd.org (Postfix) with ESMTP id 45E3E37B41C
	for <freebsd-net@FreeBSD.ORG>; Sat,  4 May 2002 16:00:56 -0700 (PDT)
Received: from syn.codemonkey.net (jason@localhost [127.0.0.1])
	by syn.codemonkey.net (8.12.2/8.12.1) with ESMTP id g44N0Xqq018239;
	Sat, 4 May 2002 16:00:33 -0700 (PDT)
Received: (from jason@localhost)
	by syn.codemonkey.net (8.12.2/8.12.0/Submit) id g44N0Mu3010094;
	Sat, 4 May 2002 16:00:22 -0700 (PDT)
X-Authentication-Warning: syn.codemonkey.net: jason set sender to jason@codemonkey.net using -f
To: Julian Elischer <julian@elischer.org>
Cc: Ben Jackson <ben@ben.com>, freebsd-net@FreeBSD.ORG
Subject: Re: ip_output: why IPSEC before IPF/IPFW?
References: <Pine.BSF.4.21.0205032207040.85737-100000@InterJet.elischer.org>
From: Jason Ish <jason@codemonkey.net>
Date: Sat, 04 May 2002 16:00:22 -0700
In-Reply-To: <Pine.BSF.4.21.0205032207040.85737-100000@InterJet.elischer.org> (Julian
 Elischer's message of "Fri, 3 May 2002 22:10:56 -0700 (PDT)")
Message-ID: <87pu0b7c3d.fsf@syn.codemonkey.net>
Lines: 18
User-Agent: Gnus/5.090006 (Oort Gnus v0.06) XEmacs/21.1 (Cuyahoga Valley,
 i386-unknown-openbsd3.0)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Julian Elischer <julian@elischer.org> writes:

> Thanks for bringing this up..
> I'm actually flabberghasted that it's so. I've been assuming it was the
> other way around.
> The advantage of having it the other way would be to be able to do other
> evil
> things to ipsec packets, but as it is you can totally block
> all packets and ipsec will still work..
> but that's certainly not POLA.. because we tell teh world that
> the ipfw works on ALL packets.
>
> I'd vote to reverse it...

You have to be careful when you reverse it.  If you are doing NAT and
have IPsec tunnels that are supposed to tunnel your private addresses
the packets will be NAT'd before matching an IPsec policy.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message