Bill Studenmund wrote:

> 
>>Here, there are a number of filter points:
>>
>>  I/W: input, wire side of IPsec
>>  I/H: input, host side of IPsec
>>  I/F: input, before forwarding
>>  I/host: input, before delivery to host via a pcb
> 
> 
> Add NAT to that too. :-)
> 

Another thing, I would like to see a way to add ip-filters to a socket.

That way non-root software could add filter to their applications.
Also, you dont have to worry about the interface on where traffic
arrives (and forget to add rules when adding a new interface to
your box). For example, if a TCP socket receives a connection attempt 
that is blocked by its access list it should send an RST back (as if the
port was not open at all), etc etc ..

I dont know if it's the "right way" to use these dummy interfaces
for this, However I think it would be a nice feature, for sure.

---
Regards, Andreas Öman