[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on VPN framework document




>>>>> "Daniel" == Daniel Harkins <dharkins@cisco.com> writes:
    Daniel> I'm missing something here. You said you were establishing an
    Daniel> IPSec tunnel as a point-to-point link in which you didn't know
    Daniel> and didn't want/need to know what packets were being sent through
    Daniel> it. That's *very* different than a typical access-list or
    Daniel> firewall policy which cares very much about the addresses and

  Agreed.

    Daniel> access-lists?  What sort of firewall policy do you have that
    Daniel> doesn't care about addressing?  "permit all" or "forbid all" are
    Daniel> very degenerate and pointless policies.

  permit all from interface internal0
  forbid all from interface external0

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.






References: