From owner-freebsd-net@FreeBSD.ORG Wed Mar 2 02:07:57 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A515816A4CE for ; Wed, 2 Mar 2005 02:07:57 +0000 (GMT) Received: from petra.vif.com (email.vif.com [216.239.64.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C9BA43D1F for ; Wed, 2 Mar 2005 02:07:57 +0000 (GMT) (envelope-from tad@vif.com) Received: from petra.vif.com (localhost [127.0.0.1]) by petra.vif.com (8.13.1/8.13.1) with ESMTP id j2227uSV022179 for ; Tue, 1 Mar 2005 21:07:56 -0500 (EST) (envelope-from tad@vif.com) Received: (from www@localhost) by petra.vif.com (8.13.1/8.13.1/Submit) id j2227uht022178 for freebsd-net@freebsd.org; Tue, 1 Mar 2005 21:07:56 -0500 (EST) (envelope-from tad@vif.com) X-Authentication-Warning: petra.vif.com: www set sender to tad@vif.com using -f Received: from ip216-239-92-171.vif.net (ip216-239-92-171.vif.net [216.239.92.171]) by email.vif.com (Horde) with HTTP for ; Tue, 1 Mar 2005 21:07:56 -0500 Message-ID: <20050301210756.htmfzmcu80wsoc40@email.vif.com> Date: Tue, 1 Mar 2005 21:07:56 -0500 From: tad@vif.com To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.2) / FreeBSD-5.3 Subject: Re: Kern/73129 and 5.3-STABLE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 02:07:57 -0000 > On Thu, Feb 10, 2005 at 11:27:35AM +0100, Andre Oppermann wrote: > > > On Wed, Feb 09, 2005 at 09:48:18PM +0100, Andre Oppermann wrote: > > > > The problem is with locally generated packets which go the wrong way. > > > > This gets nasty when the box has to generate some path MTU discovery > > > > ICMP message and such. What I implemented is the correct thing to do > > > > and prevents foot-shooting. On the other hand it prevents people from > > > > forwarding local ports and such. Both sides of the coin have merit > > > > and there is no easy deciding between them or obvious right or wrong > > > > choice. [...] > The code that is currently in the tree. > -- Andre Oppermann Sorry for bringing this again, I am still getting discrepancies with ipfw fwd. Here is a my test: ProxyHost# ipfw add 10 fwd DestinationHost icmp from SourceHost to any SourceHost# ping Proxy_Host ** On 5.3 Stable (5.4-PRERELEASE #1: Sun Feb 27 20:31:49 EST 2005) and 6.0 Current (6.0-CURRENT #8: Tue Mar 1 12:32:33 EST 2005) I get replies from ProxyHost without any forwarding to DestinationHost ** On 4-x and 5.2.1 Fwd works and packets hit DestinationHost -Talal