From owner-freebsd-net Sat May 4 22:15: 5 2002 Delivered-To: freebsd-net@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id DF3B037B417 for ; Sat, 4 May 2002 22:15:02 -0700 (PDT) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id WAA97013; Sat, 4 May 2002 22:08:44 -0700 (PDT) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g4558ij09336; Sat, 4 May 2002 22:08:44 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200205050508.g4558ij09336@arch20m.dellroad.org> Subject: Re: ip_output: why IPSEC before IPF/IPFW? In-Reply-To: <87pu0b7c3d.fsf@syn.codemonkey.net> "from Jason Ish at May 4, 2002 04:00:22 pm" To: Jason Ish Date: Sat, 4 May 2002 22:08:43 -0700 (PDT) Cc: Julian Elischer , Ben Jackson , freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jason Ish writes: > > I'd vote to reverse it... > > You have to be careful when you reverse it. If you are doing NAT and > have IPsec tunnels that are supposed to tunnel your private addresses > the packets will be NAT'd before matching an IPsec policy. ISTR that the KAME guys asked the lists about this exact question, ie., whether IPSec or ipfw should come first.. so there may be a useful discussion archived somewhere. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message