Dan McDonald wrote: > On Mon, Oct 20, 2008 at 07:57:28PM +0100, Darren J Moffat wrote: >>> 1) create ipsec rules that only allow packets related to the needed >>> services through >> I don't see any value in using ipsec to do packet filtering when we have >> ipsec. > > That's a false tautology. ;) > > You need to substitue "ipfilter" in one of those two "ipsec" instances.
The last one. > There's also a recently-announced-for-review ipfilter set of revs that nwam > may be able to exploit. Yes good idea, this is "ipfilter policy in SMF services" -- Darren J Moffat
