[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on VPN framework document
>>>>> "Daniel" == Daniel Harkins <dharkins@cisco.com> writes:
Daniel> I'm missing something here. You said you were establishing an
Daniel> IPSec tunnel as a point-to-point link in which you didn't know
Daniel> and didn't want/need to know what packets were being sent through
Daniel> it. That's *very* different than a typical access-list or
Daniel> firewall policy which cares very much about the addresses and
Agreed.
Daniel> access-lists? What sort of firewall policy do you have that
Daniel> doesn't care about addressing? "permit all" or "forbid all" are
Daniel> very degenerate and pointless policies.
permit all from interface internal0
forbid all from interface external0
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | Firewalls, TCP/IP and Unix administration
Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
Corporate: http://www.sandelman.ottawa.on.ca/SSW/
ON HUMILITY: To err is human, to moo bovine.
References: