So I was talking with Darren about NetBSD's inability to use ipf on
packets from another host if you're doing IPSec with that host, and we
eventually came round to the idea of adding another ipf processing point
before (on output) or after (on input) IPSec processing. This could
fairly easily be specified as another interface (though of course it
wouldn't really be an interface that you could assign an IP address to).
It might look like this:

    # Allow only $remote to send us packets, and make sure that they've
    # got ah headers. (This is a safety net for our ipsec configuration.)
    block in log on ex0 all head 100
    pass in proto ah from $remote to $me group 100

    # Allow $remote to connect only to ports 22 and 80.
    block in log on ex0_noipsec all head 110
    pass in proto icmp from $remote to $me group 110
    pass in proto tcp from $remote to $me port = 22 group 110
    pass in proto tcp from $remote to $me port = 80 group 110

Thoughts?

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC