Date: Fri, 26 Oct 2001 12:48:38 +0200 (CEST) From: vita@fio.cz To: Mike Harding <mvh@ix.netcom.com>, stable@freebsd.org Subject: Re: IPFW/IPSEC/NAT interaction issues with 4.4, Bug ??? Message-ID: <XFMail.20011026124838.vita@fio.cz> In-Reply-To: <20011026021302.5EE59134D2@netcom1.netcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26-Oct-2001 Mike Harding wrote: > > This is a feature - if you don't do this, you can't tell decapsulated > traffic from raw traffic. That was the old config. If you have a > router, you can filter on the inside interface. I suggested inserting > the traffic on a fake interface so you could do more interesting > things like NAT, better filtering, etc, but some KAME folk seemed to > get very upset about this, although I couldn't follow the reasoning... > > - Mike H. Do you mean that "because firewall can't tell decapsulated traffic from raw traffic, firewall is skipped for decapsulated packets" ? Yes, I can filter on the inside interface, but what about NAT? natd must run on the outside interface. I see only one solution for my configuration - skip nat divert for packets outgoing from 10/8 net and they should be esp ecapsulated and configure the opposite host to process packets going back with a 10.x.x.x destination address some way. But if I want to communnicate by esp with a host which I can't configure I'm lost because it will not like my packets from 10/8 net. vita To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20011026124838.vita>