by redmail.netbsd.org with SMTP; 13 Mar 2000 11:56:24 -0000
Date: Mon, 13 Mar 2000 22:56:19 +1100 (EST)
From: "Simon J. Gerraty" <sjg@quick.com.au>
Message-Id: <200003131156.WAA26020@zen.quick.com.au>
To: tech-security@netbsd.org
Subject: Re: IPsec configuration issues 
References: <200003130330.WAA06446@sandelman.ottawa.on.ca>

>    itojun> #@ in ipsec esp/transport//require
>    itojun> pop3  stream	tcp	nowait	root	/usr/pkg/libexec/qpopper	qpopper -s
>    itojun> #@

>  That insists on the server that it set this policy. That means that even
>people on the local wire, or from localhost, must encrypt. I'd rather that it 
>was the clients that had this policy, and negotiated via racoon for have this 

Some years ago I hacked inetd so that I could have it bind only nominated
addresses.  I then run an inetd bound to ppp0's address with a config that
offered only the services I wanted to offer.  A separate inetd was run bound
to localhost and the ethernet addresses.

This was long before ipfilter came a long, so I also had a simple hack 
to ip_input() that would only deliver a packet to the address of the interface
it arrived on (unless it arrived on a loop back interface).

The net effect was simple and reliable.  These days I just use ipfilter.

But it might be handy...

--sjg