Jigal Weinberg wrote: > <snip> > # This is the best method: turn on Source Address Verification and get > # spoof protection on all current and future interfaces > </snip> Be careful with the rp_filter, it breaks the combination of NAT (masquerading) with source-based routing. If you need both, and still want the rp_filter, then contact me directly and I will send you a patch for >= 2.2.14 that corrects this problem (Alan Cox already knows of the problem and is checking out my patch).
BTW, the problem is still there in 2.4.0-test11, but my patch won't work there. best greets, Rene
