On Mon, Nov 25, 2002 at 05:46:47PM +0100, Eric Masson wrote: > > In my case, the lan joined by the vpn use rfc1918 adresses, and if I > want the vpn traffic to flow correctly, I must invalidate incoming > rfc1918 address checking on the external firewall interface. I don't > think it increases security ;) > > So Is there any fix floating around or is this definitely the right > behaviour ?
I see /usr/src/sys/netinet/ip_input.c changed last night when I ran cvsup: * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 * $FreeBSD: src/sys/netinet/ip_input.c,v 1.130.2.44 2002/11/25 05:23:00 silby Exp $ cvs log says: ---------------------------- revision 1.130.2.44 date: 2002/11/25 05:23:00; author: silby; state: Exp; lines: +20 -2 MFC rev 1.217 Add a sysctl to control the generation of source quench packets, and set it to 0 by default. Partially obtained from: NetBSD Suggested by: David Gilbert ---------------------------- revision 1.130.2.43 date: 2002/11/21 01:27:31; author: luigi; state: Exp; lines: +1 -0 MFC: obey to fw_one_pass in bridge and layer 2 firewalling (the latter only affects ipfw2 users). Move fw_one_pass from ip_fw[2].c to ip_input.c to avoid depending on IPFIREWALL. ---------------------------- I haven't tried it yet but the above sounds like its addressing the problem I have had with formerly tunneled packets being run thru IPFW after emerging from the tunnel. -- David Kelly N4HHE, [EMAIL PROTECTED] ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
