From owner-freebsd-small  Tue Apr 24 16:40:40 2001
Delivered-To: freebsd-small@freebsd.org
Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184])
	by hub.freebsd.org (Postfix) with ESMTP id EA6C937B423
	for <freebsd-small@FreeBSD.ORG>; Tue, 24 Apr 2001 16:40:35 -0700 (PDT)
	(envelope-from luigi@info.iet.unipi.it)
Received: (from luigi@localhost)
	by info.iet.unipi.it (8.9.3/8.9.3) id BAA36223;
	Wed, 25 Apr 2001 01:38:40 +0200 (CEST)
	(envelope-from luigi)
From: Luigi Rizzo <luigi@info.iet.unipi.it>
Message-Id: <200104242338.BAA36223@info.iet.unipi.it>
Subject: Re: ipfw vs. ipf (was: Re: PicoBSD's kernel, /dev/kmem, and the kernfs
In-Reply-To: <3AE5DE42.75523F60@aurora.regenstrief.org> from Gunther Schadow
 at "Apr 24, 2001 08:12:50 pm"
To: Gunther Schadow <gunther@aurora.regenstrief.org>
Date: Wed, 25 Apr 2001 01:38:40 +0200 (CEST)
Cc: freebsd-small@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL61 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-small@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> > can you be more specific on this one ?
> 
> Yes, in fact I'm just about checking this again. You can see Itojun's 
> thoughts about this at:
> 
> http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction
> 
> and there is a patch that had been applied to the recent KAME SNAP
> kit that implements the rule. The rule is:

i suppose it is better waiting for the daylight in japan... surely
itojun and friends know what issues (if any) are there with ipfw.
(also note that there are ipfw and ipfw6 which are not the same thing,
and mightbe slightly out of sync).

	cheers
	luigi

> IPsec AH and ESP processing occurs on the inside of packet filtering.
> That is, before the filter on outgoing packets and after the filter
> on incoming packets. This may or may not have been fixed with ipfw.
> In fact, I was quite able to use IPsec with ipfw on one host, but
> I was never really sure about it. And, I'm looking forward to IPsec
> SPD packet matching rules to be combined with ipf. I remember Itojun
> or Sakane mentioning those further plans recently.
> 
> regards,
> -Gunther 
> 
> -- 
> Gunther Schadow, M.D., Ph.D.                    gschadow@regenstrief.org
> Medical Information Scientist      Regenstrief Institute for Health Care
> Adjunct Assistent Professor        Indiana University School of Medicine
> tel:1(317)630-7960                         http://aurora.regenstrief.org
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-small" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-small" in the body of the message