diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index 1c9373f03d..c28bc1878c 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -3116,7 +3116,17 @@ options	  FAST_IPSEC  # new IPsec (cannot define w/ IPSEC)
 	  <quote>Fast IPsec</quote> subsystem in lieu of the KAME
 	  implementation of IPsec.  Consult the &man.fast.ipsec.4;
 	  manual page for more information.</para>
+      </note>
 
+      <note>
+	<para>To let firewalls properly track state for &man.gif.4;
+	  tunnels too, you have to enable the
+	  <option>IPSEC_FILTERGIF</option> in your kernel
+	  configuration:</para>
+
+	<screen>
+options   IPSEC_FILTERGIF  #filter ipsec packets from a tunnel
+	</screen>
       </note>
   
       <indexterm>