From owner-freebsd-net Tue Jan 21 7:54:29 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C46A37B436 for ; Tue, 21 Jan 2003 07:54:28 -0800 (PST) Received: from fever.boogie.com (cpe-66-87-52-132.co.sprintbbd.net [66.87.52.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAEA943F18 for ; Tue, 21 Jan 2003 07:54:27 -0800 (PST) (envelope-from durian@boogie.com) Received: from man.boogie.com (man.boogie.com [192.168.1.3]) by fever.boogie.com (8.12.6/8.12.6) with ESMTP id h0LFsRS4009846; Tue, 21 Jan 2003 08:54:27 -0700 (MST) (envelope-from durian@boogie.com) Content-Type: text/plain; charset="iso-8859-1" From: Mike Durian To: Pekka Nikander Subject: Re: Question about IPsec and double ipfilter processing Date: Tue, 21 Jan 2003 08:54:26 -0700 User-Agent: KMail/1.4.3 Cc: freebsd-net@FreeBSD.ORG References: <200301201731.49942.durian@boogie.com> <3E2D4656.6000805@nomadiclab.com> In-Reply-To: <3E2D4656.6000805@nomadiclab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200301210854.26902.durian@boogie.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 21 January 2003 06:08 am, Pekka Nikander wrote: > > then the IPsec code *requires* than any received packet > that has a source address within 192.168.2.0/24 was > indeed protected by the specified tunnel, and if it wasn't, > it drops the packet. That's good news. I'll feel better about relaxing my rules a bit until I can figure out why I'm seeing different behavior than Crist and what is described in the ipfilter documentation (http://coombs.anu.edu.au/~avalon/ipfil-flow.html - note the final bullet item). mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message