Re:
From: Shoichi Sakane (sakane@kame.net)
Date: 10/30/01
- Next message: Michael Scheidell: "Re: can I use keep-state for icmp rules?"
- Previous message: Kameron Gasso: "[OT] Braindead sofware/configuration"
- In reply to: tariq_rashid@lineone.net: "(no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: tariq_rashid@lineone.net Date: Tue, 30 Oct 2001 20:19:32 +0900 From: Shoichi Sakane <sakane@kame.net>
> Now - the problem with this is that these "wide catching" spd also catch and encapsulate traffic from the localhost to the localhost, and also traffic from the localhost to the protected subnet.
>
> eg 10.8.0.1 (gw-A) -> 10.8.0.1 --------> fails (encapsulated)
> eg 10.8.0.1 (gw-A) -> 10.8.0.5 --------> fails (encapsulated)
>
> .. resulting in a routing loop?
the order of the policy rule is important. you should define the
bypass policy for the local communication.
how about the following policy order ? for example at gw-A,
10.8.0.0/16[any] 10.8.0.0/16[any] any out none
10.8.0.0/16[any] 10.8.0.0/16[any] any in none
10.8.0.0/16[any] 10.0.0.0/8[any] any out ipsec ...
10.0.0.0/8[any] 10.8.0.0/16[any] any in ipsec ...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Michael Scheidell: "Re: can I use keep-state for icmp rules?"
- Previous message: Kameron Gasso: "[OT] Braindead sofware/configuration"
- In reply to: tariq_rashid@lineone.net: "(no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
