In some mail from Nigel Metheringham, sie said:
>
> [EMAIL PROTECTED] said:
> > The UDP masquerading code only checks the DESTINATION PORT to
> > determine if a packet coming from the external network is to be
> > forwarded inside.
>
> this is due to a number of hosts/services returning UDP from an IP
> other than that which the original UDP packet went to - for example it
> is frequently the case that NFS servers just use the interface ip
> address "closest" to that which the NFS op came from.
Common sense would suggest that the client should be using that address
too...
> I'll give this some thought to work out a way of narrowing this hole (I
> don't think it can be completely closed without causing other problems).
Here's some advice from the implementation of IP Filter:
I've had it closed since day 0 and had 0 reports of problems because of it.
Cheers,
Darren
