Date: Sat, 4 May 2002 22:08:43 -0700 (PDT) From: Archie Cobbs <archie@dellroad.org> To: Jason Ish <jason@codemonkey.net> Cc: Julian Elischer <julian@elischer.org>, Ben Jackson <ben@ben.com>, freebsd-net@FreeBSD.ORG Subject: Re: ip_output: why IPSEC before IPF/IPFW? Message-ID: <200205050508.g4558ij09336@arch20m.dellroad.org> In-Reply-To: <87pu0b7c3d.fsf@syn.codemonkey.net> "from Jason Ish at May 4, 2002 04:00:22 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Jason Ish writes: > > I'd vote to reverse it... > > You have to be careful when you reverse it. If you are doing NAT and > have IPsec tunnels that are supposed to tunnel your private addresses > the packets will be NAT'd before matching an IPsec policy. ISTR that the KAME guys asked the lists about this exact question, ie., whether IPSec or ipfw should come first.. so there may be a useful discussion archived somewhere. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205050508.g4558ij09336>