Subject: Re: IPsec tunnel mode and IP forwarding
To: Richard Braun <>
From: Thor Lancelot Simon <>
List: tech-net
Date: 10/04/2004 09:37:28
On Fri, Oct 01, 2004 at 11:56:03PM +0200, Richard Braun wrote:
> On Fri, Oct 01, 2004 at 11:09:59PM +0200, Emmanuel Dreyfus wrote:
> > Hi
> > 
> > When using IPsec in tunnel mode, the machine will forward packets coming
> > from and to the tunnel regardless of the net.inet.ip.forwarding setting.
> > Is it on purpose or is it a bug?
> It may be on prupose for leaf tunnel mode, since this mode is intended
> for hosts.

That doesn't make sense; even with net.inet.ip.forwarding=0, the host
will accept packets for any of its interface addresses (that is, we
don't implement the "strong host model").

Automatically forwarding packets that came in on tunnels seems like a
bug, and one with security implications; it might even warrant an

 Thor Lancelot Simon	                            
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud