> >> However, I have changed /etc/network/options, and changed spoofprotect > >> to no. Doesn't that turn off route filtering? > > > > It's set in shorewall configuration (interfaces(?)). > > I thought it might, but the Bering docs indicate otherwise - that the > easiest way is by changing /etc/network/options.
Trust but verify. There has been a new release of shorewall on bering since I last touched or tested that doc. It could be that it is overriding the setting I recommended. Also, I have found that it really only matters is quite strange tunneling setups (like I was using at the time). It could pay to understand what reverse path filtering actually does: If the packet comes in from a given source ip address on an interface that would not be used to send a packet to that address, the packet is dropped if rp_filter is set on the interface OR if it is set on "all" interfaces. Example from Mobile IP: A foreign agent receives traffic on an ipip tunnel interface (tunl0) for delivery to a mobile node in his visitor list. The source address is someone on the internet (say, www.yahoo.com). If he were to send a packet to www.yahoo.com, it would be sent through eth0, his default route. rp_filter will drop this packet (in an excruciatingly silent manner) because it was received on tunl0 (when de-tunneled), but traffic sent to that host would be sent through eth0. That is what rp_filter means. In practice, with ipsec, if you are using the %defaultroute command in ipsec.conf, you will probably not really need rp_filter disabled because all traffic coming in on the ipsecN interface will also be routed back out the same ipsec interface it came in on. There you go. -- ----------------------------------------------------------------------- Chad Carr [EMAIL PROTECTED] ----------------------------------------------------------------------- ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
