Date: Thu, 9 Dec 2004 16:10:24 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Andre Oppermann <andre@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: (review request) ipfw and ipsec processing order for outgoingpackets Message-ID: <Pine.BSF.4.53.0412091605130.95268@e0-0.zab2.int.zabbadoz.net> In-Reply-To: <41B85729.40F00890@freebsd.org> References: <20041129100949.GA19560@bps.jodocus.org> <41AAF696.6ED81FBF@freebsd.org><41AB3A74.8C05601D@freebsd.org> <41AB65B2.A18534BF@freebsd.org><41B85729.40F00890@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 9 Dec 2004, Andre Oppermann wrote: Hi, > With the changes you can chose whether you want to do firewallig before > ipsec processing or after but not both. I am unsure if I get that right but that's what the ipsec flag in ipfw2 is for and it is heavily used to filter ipsec encrypted traffic and the same traffic, tagged to come from an ipsec tunnel, afterwards. If your changes won't handle this you will break too many IPSec GWs I think. > The enc(4) pseudo device looks > interesting but I haven't looked at the code. Maybe that makes things > easier. I'll look into it. the code is quite simple and helpfull for debugging but not for a lot more with our current ipsec implementations (at least that had been the case about a year ago). -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.53.0412091605130.95268>