I use IPSec to secure rw access to NFS shares. What would you suggest to ensure that in no case whatsoever non-ipsec packet gets to NFS? I can use require-level policies and I can tell ipfw to only pass ipsec, but what if ipfw and setkey somehow fail, even for a few minutes? Should I rely on that not happening? Thanks!