On Fri, Oct 01, 2004 at 11:56:03PM +0200, Richard Braun wrote:
> On Fri, Oct 01, 2004 at 11:09:59PM +0200, Emmanuel Dreyfus wrote:
> > Hi
> > 
> > When using IPsec in tunnel mode, the machine will forward packets coming
> > from and to the tunnel regardless of the net.inet.ip.forwarding setting.
> > Is it on purpose or is it a bug?
> 
> It may be on prupose for leaf tunnel mode, since this mode is intended
> for hosts.

That doesn't make sense; even with net.inet.ip.forwarding=0, the host
will accept packets for any of its interface addresses (that is, we
don't implement the "strong host model").

Automatically forwarding packets that came in on tunnels seems like a
bug, and one with security implications; it might even warrant an
advisory.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud