Date: Mon, 25 Nov 2002 13:21:23 -0600 From: David Kelly <dkelly@hiwaay.net> To: Eric Masson <e-masson@kisoft-services.com> Cc: Ari Suutari <ari.suutari@syncrontech.com>, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <20021125192123.GA66919@grumpy.dyndns.org> In-Reply-To: <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com> References: <200211142157.57459.dkelly@HiWAAY.net> <3DD4F4D1.83C77B0@dolaninformation.com> <200211180854.29349.ari.suutari@syncrontech.com> <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 25, 2002 at 05:46:47PM +0100, Eric Masson wrote: > > In my case, the lan joined by the vpn use rfc1918 adresses, and if I > want the vpn traffic to flow correctly, I must invalidate incoming > rfc1918 address checking on the external firewall interface. I don't > think it increases security ;) > > So Is there any fix floating around or is this definitely the right > behaviour ? I see /usr/src/sys/netinet/ip_input.c changed last night when I ran cvsup: * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 * $FreeBSD: src/sys/netinet/ip_input.c,v 1.130.2.44 2002/11/25 05:23:00 silby Exp $ cvs log says: ---------------------------- revision 1.130.2.44 date: 2002/11/25 05:23:00; author: silby; state: Exp; lines: +20 -2 MFC rev 1.217 Add a sysctl to control the generation of source quench packets, and set it to 0 by default. Partially obtained from: NetBSD Suggested by: David Gilbert ---------------------------- revision 1.130.2.43 date: 2002/11/21 01:27:31; author: luigi; state: Exp; lines: +1 -0 MFC: obey to fw_one_pass in bridge and layer 2 firewalling (the latter only affects ipfw2 users). Move fw_one_pass from ip_fw[2].c to ip_input.c to avoid depending on IPFIREWALL. ---------------------------- I haven't tried it yet but the above sounds like its addressing the problem I have had with formerly tunneled packets being run thru IPFW after emerging from the tunnel. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021125192123.GA66919>