Re: IPSEC only from wireless subnet?

Thus spake Paul Armstrong (army@cyber.com.au) [23/09/03 17:47]:
> On Tue, Sep 23, 2003 at 01:01:17PM -0400, Damian Gerow wrote:
> > Note, there are some FreeBSD kernel options that play with how this works.
> > I've never used them, so I don't know how well they work. OpenBSD has the
> > encx interfaces, so they play a little nicer in this regard (I believe).
>
> In 5.0 and above, there's a kernel option for IPSEC_FILTERGIF which allows
> proper filtering on IPSEC traffic.
>
> (NB: I don't know how well this plays with IPF).

I'm thinking of trying it out. It seems to make more sense (from my point
of view) than the current method of filtering -- IPSec filtering inbound,
then regular traffic filtering outbound. So if outbound traverses a MAP,
it's a little more difficult to do client-side filtering. Still possible,
just more difficult.

Does anyone have any experience with using IPSEC_FILTERGIF and ipf? Any
recommendations for/against?

--
Damian Gerow damian@sentex.net
Systems and Networks Administrator work +1 519 651 3400 x213
Sentex Communications cell +1 519 221 5567
Providing Internet Access since '94 page +1 519 569 2150