Subject: RE: filtering and IPSec
To: 'Chris Jones' <netbsd-help@netbsd.org>
From: Michael D. Spence <spence@panix.com>
List: netbsd-help
Date: 03/26/2003 19:56:12
> -----Original Message-----
> From: netbsd-help-owner@netbsd.org
> [mailto:netbsd-help-owner@netbsd.org]On Behalf Of Chris Jones
> Sent: Wednesday, March 26, 2003 6:49 PM
> To: netbsd-help@netbsd.org
> Subject: filtering and IPSec
>
>
> At work, I have a combination firewall/IPSec tunnel endpoint which is
> running NetBSD. It works very nicely, except for one thing: As
> documented in several places (like ipf(4)), ipf scans the incoming
> packets before they get to IPSec. So, I can either allow the main
> office to send us encrypted traffic, or I can disallow them;
> I have no
> finer control than that.
>
> Because the main office is somewhat large, and because a lot
> of computer
> attacks are some form of internal attacks, I'd like to have
> fine-grained
> control over firewall rules between my office and the main
> office. It
> would be nice if I had another computer; then I could put IPSec and
> firewall services on two different machines, and that would
> let me put
> lots of controls on things.
>
> Does anybody know any other ways to achieve this level of control,
> without buying another computer?
>
Two more NIC's and a suitable cable between them? NIC's are pretty cheap.
If you've got two slots for them, you probably could get it done for < $50.