From owner-freebsd-stable Mon Nov 25 11:23:24 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 410E037B401 for ; Mon, 25 Nov 2002 11:23:23 -0800 (PST) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 703C743E9C for ; Mon, 25 Nov 2002 11:23:22 -0800 (PST) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.6/8.12.6) with ESMTP id gAPJLOgx066949; Mon, 25 Nov 2002 13:21:24 -0600 (CST) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.6/8.12.6/Submit) id gAPJLNHk066948; Mon, 25 Nov 2002 13:21:23 -0600 (CST) Date: Mon, 25 Nov 2002 13:21:23 -0600 From: David Kelly To: Eric Masson Cc: Ari Suutari , greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: Re: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? Message-ID: <20021125192123.GA66919@grumpy.dyndns.org> References: <200211142157.57459.dkelly@HiWAAY.net> <3DD4F4D1.83C77B0@dolaninformation.com> <200211180854.29349.ari.suutari@syncrontech.com> <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86n0nxsiko.fsf@notbsdems.nantes.kisoft-services.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Nov 25, 2002 at 05:46:47PM +0100, Eric Masson wrote: > > In my case, the lan joined by the vpn use rfc1918 adresses, and if I > want the vpn traffic to flow correctly, I must invalidate incoming > rfc1918 address checking on the external firewall interface. I don't > think it increases security ;) > > So Is there any fix floating around or is this definitely the right > behaviour ? I see /usr/src/sys/netinet/ip_input.c changed last night when I ran cvsup: * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 * $FreeBSD: src/sys/netinet/ip_input.c,v 1.130.2.44 2002/11/25 05:23:00 silby Exp $ cvs log says: ---------------------------- revision 1.130.2.44 date: 2002/11/25 05:23:00; author: silby; state: Exp; lines: +20 -2 MFC rev 1.217 Add a sysctl to control the generation of source quench packets, and set it to 0 by default. Partially obtained from: NetBSD Suggested by: David Gilbert ---------------------------- revision 1.130.2.43 date: 2002/11/21 01:27:31; author: luigi; state: Exp; lines: +1 -0 MFC: obey to fw_one_pass in bridge and layer 2 firewalling (the latter only affects ipfw2 users). Move fw_one_pass from ip_fw[2].c to ip_input.c to avoid depending on IPFIREWALL. ---------------------------- I haven't tried it yet but the above sounds like its addressing the problem I have had with formerly tunneled packets being run thru IPFW after emerging from the tunnel. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message