Date: Tue, 15 Jan 2002 16:39:25 +0100 From: Alex Le Heux <alexlh@funk.org> To: Ari Suutari <ari.suutari@syncrontech.com> Cc: Rene de Vries <rene@canyon.xs4all.nl>, Kshitij Gunjikar <kshitijgunjikar@yahoo.com>, net@FreeBSD.ORG Subject: Re: Filtering packets received through an ipsec tunnel Message-ID: <20020115153925.GY75815@funk.org> In-Reply-To: <20020115123429.GV75815@funk.org> References: <E4E6F464-0917-11D6-AC08-00039357FA7A@canyon.xs4all.nl> <200201150733.g0F7Xww91320@guinness.syncrontech.com> <20020115121821.GU75815@funk.org> <200201151213.g0FCDbw92015@guinness.syncrontech.com> <20020115123429.GV75815@funk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 15, 2002 at 01:34:29PM +0100, Alex Le Heux wrote: > > > > But doesn't ipsec stack already take care of this ? I think (hope) > > that is doesn't process the packet if it is coming from wrong tunnel > > because the packet does not match the policy. > > I'm not sure if it actually drops 'wrong' packets coming from the tunnel. > I'll see if I have some time soon to look into it. Sorry for replying to my own mail... It seems to do something like it, see sysctl net.inet.ipsec.def_policy in ipsec(4). It's not exactly the same though and certainly doesn't give very fine grained control. Although I can't really think of any situations that one can't cover this way. Regards, Alex Le Heux -- Happiness is a side effect of doing something that's got nothing to do with it, baby. - Bootsy Collins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020115153925.GY75815>