From owner-freebsd-small  Tue Apr 24 13:12:57 2001
Delivered-To: freebsd-small@freebsd.org
Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197])
	by hub.freebsd.org (Postfix) with ESMTP id 5895237B422
	for <freebsd-small@FreeBSD.ORG>; Tue, 24 Apr 2001 13:12:54 -0700 (PDT)
	(envelope-from gunther@aurora.regenstrief.org)
Received: from aurora.regenstrief.org (rgnout.regenstrief.org [134.68.31.38])
	by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f3OKDDA20897;
	Tue, 24 Apr 2001 15:13:13 -0500
Message-ID: <3AE5DE42.75523F60@aurora.regenstrief.org>
Date: Tue, 24 Apr 2001 20:12:50 +0000
From: Gunther Schadow <gunther@aurora.regenstrief.org>
Organization: Regenstrief Institute for Health Care
X-Mailer: Mozilla 4.75 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Luigi Rizzo <luigi@info.iet.unipi.it>
Cc: freebsd-small@FreeBSD.ORG
Subject: Re: ipfw vs. ipf (was: Re: PicoBSD's kernel, /dev/kmem, and the kernfs
References: <200104241941.VAA34133@info.iet.unipi.it>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-small@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Luigi Rizzo wrote:
> 
> > - ipf is more likely to play well with IPsec
> 
> can you be more specific on this one ?

Yes, in fact I'm just about checking this again. You can see Itojun's 
thoughts about this at:

http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction

and there is a patch that had been applied to the recent KAME SNAP
kit that implements the rule. The rule is:

IPsec AH and ESP processing occurs on the inside of packet filtering.
That is, before the filter on outgoing packets and after the filter
on incoming packets. This may or may not have been fixed with ipfw.
In fact, I was quite able to use IPsec with ipfw on one host, but
I was never really sure about it. And, I'm looking forward to IPsec
SPD packet matching rules to be combined with ipf. I remember Itojun
or Sakane mentioning those further plans recently.

regards,
-Gunther 

-- 
Gunther Schadow, M.D., Ph.D.                    gschadow@regenstrief.org
Medical Information Scientist      Regenstrief Institute for Health Care
Adjunct Assistent Professor        Indiana University School of Medicine
tel:1(317)630-7960                         http://aurora.regenstrief.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-small" in the body of the message