(review request) ipfw and ipsec processing order for
outgoingpackets
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Thu Dec 9 08:15:10 PST 2004
On Thu, 9 Dec 2004, Andre Oppermann wrote:
Hi,
> With the changes you can chose whether you want to do firewallig before
> ipsec processing or after but not both.
I am unsure if I get that right but that's what the ipsec flag in
ipfw2 is for and it is heavily used to filter ipsec encrypted traffic
and the same traffic, tagged to come from an ipsec tunnel, afterwards.
If your changes won't handle this you will break too many IPSec GWs I
think.
> The enc(4) pseudo device looks
> interesting but I haven't looked at the code. Maybe that makes things
> easier. I'll look into it.
the code is quite simple and helpfull for debugging but not for a lot
more with our current ipsec implementations (at least that had been
the case about a year ago).
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
More information about the freebsd-net
mailing list