* Brian <[EMAIL PROTECTED]> [2007-10-22 20:39]: > Joshua Smith wrote: > > Out of curiosity what are these two extremely rare cases? > [snip] > > One example off the top of my head (and ipsec.conf(5)) is the enc0 > interface. You wouldn't set your state-policy to this, but each > individual rule would use if-bound to prevent traffic from going out > your egress when an IPsec SA is removed/expires before the state is > removed/expires (think isakmpd and the various reasons an SA can disappear).
that is indeed one case. wether you really want ifbound for ipsec or not depends on teh setup, you have to think it through on a case-by-case basis. the otehr case is so bizarre that I forgot the details. basically a case where a packet goes thru the stack 3 times instead of 2 with the normal forwarding. I think you could trigger that with very very very very very strange use of the evil route-to (which should be avoided wherever possible in the first place). -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
