Date: Sun, 02 Apr 2006 13:10:00 -0400 From: "Eric W. Bates" <ericx_lists@vineyard.net> To: freebsd-net@freebsd.org Subject: Re: tcpdump and ipsec Message-ID: <44300568.8030407@vineyard.net> In-Reply-To: <20060402151039.R51461@atlantis.atlantis.dp.ua> References: <442D8E98.6050903@vineyard.net> <20060331222813.GA29047@zen.inc> <20060331223613.GD80492@spc.org> <20060402130227.G99958@atlantis.atlantis.dp.ua> <20060402113516.D76259@maildrop.int.zabbadoz.net> <20060402151039.R51461@atlantis.atlantis.dp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Dmitry Pryanishnikov wrote: > > Hello! > > On Sun, 2 Apr 2006, Bjoern A. Zeeb wrote: > >>> Why not? IMHO it will be very useful feature: think about e.g. >>> traffic shaping for several different networks which are routed via >>> the same >>> ipsec tunnel. Without the enc0, you can only shape them together, e.g.: >> >> >> why not shaping on the internal interface in case this is a gateway? >> You know src and dst there too. > > > Gateway can also contain sources of traffic, and we should be able > to shape all outgoing or incoming traffic (not only transit packets, > but also locally-originated). > >> The only difference enc0 makes is for host-only-setups or if you want >> to see all your unencrpyted ipsec traffic on a gateway in one place. As an example, I'm working on a firewall for a hospital. We have to terminate a variety of tunnels for vendors providing sensitive services; but we don't necessarily trust the vendors. I appreciate that I can filter their traffic as it passes out of the firewall into the hospital proper; but I would just as soon be able to prevent them from tickling the firewall itself. I realize using ipencap would address this; but this is not really an option when dealing with service vendors. > > > It seems to me that it's also useful for general traffic > shaping/accounting/filtering purposes. > > Sincerely, Dmitry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44300568.8030407>