Date: Tue, 19 Nov 2002 15:35:49 -0500 From: "Cambria, Mike" <mcambria@avaya.com> To: 'Guido van Rooij' <guido@gvr.org>, Scott Ullrich <sullrich@CRE8.COM> Cc: David Kelly <dkelly@hiwaay.net>, 'Archie Cobbs' <archie@dellroad.org>, "'greg.panula@dolaninformation.com'" <greg.panula@dolaninformation.com>, FreeBSD-stable@FreeBSD.ORG Subject: RE: IPsec packets seen on wrong interface by ipfw (was Re: IPsec/ gif VPN tunnel packets on wrong NIC in ipfw?) Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7E4EF41@rerun.avayactc.com>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Guido van Rooij [mailto:guido@gvr.org] > > I think having either esp0 as a catch all device, or having a > pseudo-interface > per physical interface (e.g. fxp_esp<n> for fxp<n>) is the > solution, where > I'd vote for the second one. Reason for that vote: i you only can > filter on esp0 you cant retrieve the original interface and you > might end up having to allow spoofed packets in. I too like the later case. I use tunnel mode and not gif. Somewhere between 4.6-Stable and 4.7-Stable I needed to add rules to ipfw to allow traffic inside my tunnel to pass. I like the idea of running ipfw on traffic after it leaves an IPsec tunnel. But at the momemt, I have a "hole" in my fules that will let packet to 172.16.0.0 in. MikeC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A6D367EA1EFD4118C9B00A0C9DD99D7E4EF41>