On Fri, 18 Apr 2003 itojun@iijlab.net wrote:

> >If I have two IPSec links, one to network A/24 and one to network B/24,
> >I need to block all source=A/24 packets that come in via the tunnel from
> >B, and all source=B/24 packets that come in via the tunnel from A, because
> >those packets are forged.
>
> 	why not filter at the other end of the tunnel (tunnel egress point)?

Because it's not my machine; it belongs to another company to whom I need
an encrypted tunnel.

> 	is it not under your control, or are you having tunnel with non-
> 	trustworthy peers?

Both.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC