by redmail.netbsd.org with SMTP; 20 Sep 1999 17:28:44 -0000
	by acheron.middleboro.ma.us (8.9.3/8.9.3) id NAA09794;
	Mon, 20 Sep 1999 13:28:24 -0400 (EDT)
Date: Mon, 20 Sep 1999 13:28:24 -0400
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
To: Kimmo Suominen <kim@tac.nyc.ny.us>
Cc: tech-security@netbsd.org
Subject: Re: Odd ipf behaviour?
Message-ID: <19990920132824.Y485@acheron.middleboro.ma.us>
References: <19990919221430.L485@acheron.middleboro.ma.us> <FICCHK.1Gq@tac.nyc.ny.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <FICCHK.1Gq@tac.nyc.ny.us>

On Mon, Sep 20, 1999 at 04:29:44AM +0000, Kimmo Suominen wrote:

> I think NAT happens on incoming packets before ipf gets them.  Outgoing
> packets, on the other hand, are handed to NAT after ipf has seen them.
> 
> So the odd packets probably did not have any options set?

Okay... That would make sense, and it syncs well with Manuel's thought that
it was related to an internal site browsing the web. This all now makes sense,
if NAT got the packet first and translated the destination address before
passing it off to the second round of filtering.

http://coombs.anu.edu.au/~avalon/ipfil-flow.html

I guess I need to look at my setup once more. Maybe my filter is catching
some legitimate traffic.

I'm glad to have an explanation of this business with the packet looking like
it must have been source routed but, indeed, not being source routed. Thanks...

-- 
    Mason Loring Bliss  mason@acheron.middleboro.ma.us  They also surf who
awake ? sleep : dream;  http://acheron.ne.mediaone.net  only stand on waves.