I recently got the urge to do a security review of a network I manage with a Linksys Router.  It was running the latest version of dd-wrt with a set of unmodified (as best I knew) firewall rules.  I had a scare when the first thing I saw was:

root@DD-WRT:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  u12-20.dsl.vianetworks.de  anywhere
ACCEPT     0    --  newmedia.bensheim.manet.de  anywhere
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED

--cut--

Apparently this is a known issue with the vpn version of dd-wrt v24 sp1.  I could only find one reference to it on the internet here.  The form thread explains a few ways to disable it and a fix has been checked into the main source tree.  It was still a little unnerving considering this was the first thing I looked at!