On Thu, 17 Apr 2003, Michael Richardson wrote:

> 1) if you have IPsec, it doesn't matter what interface things arrive on.
>    So, you can name the new "pseudo" interface, something like "ipsec"

It certainly does matter what interface things arrive on!

If I have two IPSec links, one to network A/24 and one to network B/24,
I need to block all source=A/24 packets that come in via the tunnel from
B, and all source=B/24 packets that come in via the tunnel from A, because
those packets are forged.

> (In any case, "noipsec" confuses me. I think you meant
> "after-ipsec-processing"?)

But "after-ipsec-processing" is *with* ipsec on the outbound direction
of an interface.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC