Date: Tue, 24 Apr 2001 20:12:50 +0000 From: Gunther Schadow <gunther@aurora.regenstrief.org> To: Luigi Rizzo <luigi@info.iet.unipi.it> Cc: freebsd-small@FreeBSD.ORG Subject: Re: ipfw vs. ipf (was: Re: PicoBSD's kernel, /dev/kmem, and the kernfs Message-ID: <3AE5DE42.75523F60@aurora.regenstrief.org> References: <200104241941.VAA34133@info.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > > > - ipf is more likely to play well with IPsec > > can you be more specific on this one ? Yes, in fact I'm just about checking this again. You can see Itojun's thoughts about this at: http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction and there is a patch that had been applied to the recent KAME SNAP kit that implements the rule. The rule is: IPsec AH and ESP processing occurs on the inside of packet filtering. That is, before the filter on outgoing packets and after the filter on incoming packets. This may or may not have been fixed with ipfw. In fact, I was quite able to use IPsec with ipfw on one host, but I was never really sure about it. And, I'm looking forward to IPsec SPD packet matching rules to be combined with ipf. I remember Itojun or Sakane mentioning those further plans recently. regards, -Gunther -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-small" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AE5DE42.75523F60>