On Sat, 10 May 2003, Christiaens Joachim wrote:
> m0n0wall has an option NOT to filter these private addresses...
True, but in the common case, not blocking them at all leaves you wide
open to spoofing. In principle, there's a way of handling the spoofing
issue explicitly, but that would require kernel support. If you have to
do it with IP Filter, then in the usual case what you want is to block
most outside packets with private source IPs (or at least the private IPs
in the range of your own LAN), but let the ICMP errors through.