From owner-freebsd-security@FreeBSD.ORG  Mon Oct 27 14:19:27 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1FC6916A4B3
	for <freebsd-security@freebsd.org>;
	Mon, 27 Oct 2003 14:19:27 -0800 (PST)
Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0F80043F3F
	for <freebsd-security@freebsd.org>;
	Mon, 27 Oct 2003 14:19:26 -0800 (PST)
	(envelope-from cristjc@comcast.net)
Received: from blossom.cjclark.org
	(12-234-156-182.client.attbi.com[12.234.156.182])
	by comcast.net (sccrmhc13) with ESMTP
	id <2003102722192401600hh197e>; Mon, 27 Oct 2003 22:19:24 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.8p1/8.12.8) with ESMTP id h9RMJHJp046557;
	Mon, 27 Oct 2003 14:19:17 -0800 (PST)
	(envelope-from cristjc@comcast.net)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.8p2/8.12.8/Submit) id h9RMJG0q046556;
	Mon, 27 Oct 2003 14:19:16 -0800 (PST)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to
	cristjc@comcast.net using -f
Date: Mon, 27 Oct 2003 14:19:16 -0800
From: "Crist J. Clark" <cristjc@comcast.net>
To: Bill Swingle <unfurl@dub.net>
Message-ID: <20031027221916.GA46461@blossom.cjclark.org>
References: <u0qcpv0csl3lb1p6a8aioe7qjqjtvd6th9@4ax.com>
	<3F97BA17.8050403@lexisnexis.com> <20031026165222.GA31223@dub.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20031026165222.GA31223@dub.net>
User-Agent: Mutt/1.4.1i
X-URL: http://people.freebsd.org/~cjc/
cc: freebsd-security@freebsd.org
cc: "G. Panula" <greg.panula@lexisnexis.com>
Subject: Re: IPSec VPNs: to gif or not to gif
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Crist J. Clark" <cjc@freebsd.org>
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2003 22:19:27 -0000

On Sun, Oct 26, 2003 at 08:52:22AM -0800, Bill Swingle wrote:
> On Thu, Oct 23, 2003 at 06:23:03AM -0500, G. Panula wrote:
> > Current behavior is encrypted packet is handled by ipfw once, then after 
> > decryption it is only handled by ipfw(again) if it passes thru an 
> > interface didn't arrive on.
> 
> Does this apply to ipfilter as well?

Yes.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org