Date: Fri, 02 Aug 2002 13:54:32 -0400 From: Mike Tancsa <mike@sentex.net> To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoontroubles, help please ...] Message-ID: <5.1.1.6.0.20020802134758.040a3e08@marble.sentex.ca> In-Reply-To: <20020802174321.GB6880@blossom.cjclark.org> References: <sd4a58ca.054@aus-gwia.aus.dcnhs.org> <sd4a58ca.054@aus-gwia.aus.dcnhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:43 AM 02/08/2002 -0700, Crist J. Clark wrote:
>But why? Is there something this configuration buys you that you don't
>get when all are "vanilla" ESP tunnels?
I guess for me, when it gets routed through an interface the "feel" is more
consistent. I do a netstat -nr, and I can see where the route points to. I
can then also do further firewall rules on traffic via the gif interface. I
dont like the fact that my tunnels somehow dont show up in a netstat
-nr. I know that sounds trivial, but I think its somewhat important in
security matters-- i.e. the admin has a good feeling at a gut level how it
all works rather than, "oh yeah, normally it works that way, but not in
this case." The less one has to stop and consider "oh yeahs" / exceptions
the better IMHO.
---Mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20020802134758.040a3e08>