Date: Sat, 04 May 2002 16:00:22 -0700 From: Jason Ish <jason@codemonkey.net> To: Julian Elischer <julian@elischer.org> Cc: Ben Jackson <ben@ben.com>, freebsd-net@FreeBSD.ORG Subject: Re: ip_output: why IPSEC before IPF/IPFW? Message-ID: <87pu0b7c3d.fsf@syn.codemonkey.net> In-Reply-To: <Pine.BSF.4.21.0205032207040.85737-100000@InterJet.elischer.org> (Julian Elischer's message of "Fri, 3 May 2002 22:10:56 -0700 (PDT)") References: <Pine.BSF.4.21.0205032207040.85737-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer <julian@elischer.org> writes: > Thanks for bringing this up.. > I'm actually flabberghasted that it's so. I've been assuming it was the > other way around. > The advantage of having it the other way would be to be able to do other > evil > things to ipsec packets, but as it is you can totally block > all packets and ipsec will still work.. > but that's certainly not POLA.. because we tell teh world that > the ipfw works on ALL packets. > > I'd vote to reverse it... You have to be careful when you reverse it. If you are doing NAT and have IPsec tunnels that are supposed to tunnel your private addresses the packets will be NAT'd before matching an IPsec policy. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87pu0b7c3d.fsf>