At work, I have a combination firewall/IPSec tunnel endpoint which is 
running NetBSD.  It works very nicely, except for one thing:  As 
documented in several places (like ipf(4)), ipf scans the incoming 
packets before they get to IPSec.  So, I can either allow the main 
office to send us encrypted traffic, or I can disallow them; I have no 
finer control than that.

Because the main office is somewhat large, and because a lot of computer 
attacks are some form of internal attacks, I'd like to have fine-grained 
control over firewall rules between my office and the main office.  It 
would be nice if I had another computer; then I could put IPSec and 
firewall services on two different machines, and that would let me put 
lots of controls on things.

Does anybody know any other ways to achieve this level of control, 
without buying another computer?

Chris

-- 
------------------------------------------------- chris@cjones.org
Chris Jones                                       Mad scientist at large
   www.netbsd.org www.postgresql.org www.schemers.org www.python.org