> -----Original Message-----
> From: netbsd-help-owner@netbsd.org
> [mailto:netbsd-help-owner@netbsd.org]On Behalf Of Chris Jones
> Sent: Wednesday, March 26, 2003 6:49 PM
> To: netbsd-help@netbsd.org
> Subject: filtering and IPSec
> 
> 
> At work, I have a combination firewall/IPSec tunnel endpoint which is 
> running NetBSD.  It works very nicely, except for one thing:  As 
> documented in several places (like ipf(4)), ipf scans the incoming 
> packets before they get to IPSec.  So, I can either allow the main 
> office to send us encrypted traffic, or I can disallow them; 
> I have no 
> finer control than that.
> 
> Because the main office is somewhat large, and because a lot 
> of computer 
> attacks are some form of internal attacks, I'd like to have 
> fine-grained 
> control over firewall rules between my office and the main 
> office.  It 
> would be nice if I had another computer; then I could put IPSec and 
> firewall services on two different machines, and that would 
> let me put 
> lots of controls on things.
> 
> Does anybody know any other ways to achieve this level of control, 
> without buying another computer?
> 

Two more NIC's and a suitable cable between them?  NIC's are pretty cheap.
If you've got two slots for them, you probably could get it done for < $50.