tcpdump and ipsec
Eric W. Bates
ericx_lists at vineyard.net
Sun Apr 2 17:10:46 UTC 2006
Dmitry Pryanishnikov wrote:
>
> Hello!
>
> On Sun, 2 Apr 2006, Bjoern A. Zeeb wrote:
>
>>> Why not? IMHO it will be very useful feature: think about e.g.
>>> traffic shaping for several different networks which are routed via
>>> the same
>>> ipsec tunnel. Without the enc0, you can only shape them together, e.g.:
>>
>>
>> why not shaping on the internal interface in case this is a gateway?
>> You know src and dst there too.
>
>
> Gateway can also contain sources of traffic, and we should be able
> to shape all outgoing or incoming traffic (not only transit packets,
> but also locally-originated).
>
>> The only difference enc0 makes is for host-only-setups or if you want
>> to see all your unencrpyted ipsec traffic on a gateway in one place.
As an example, I'm working on a firewall for a hospital. We have to
terminate a variety of tunnels for vendors providing sensitive services;
but we don't necessarily trust the vendors. I appreciate that I can
filter their traffic as it passes out of the firewall into the hospital
proper; but I would just as soon be able to prevent them from tickling
the firewall itself.
I realize using ipencap would address this; but this is not really an
option when dealing with service vendors.
>
>
> It seems to me that it's also useful for general traffic
> shaping/accounting/filtering purposes.
>
> Sincerely, Dmitry
More information about the freebsd-net
mailing list