[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF Reflection (cont'd)

So I'm still trying to get tcp reflection working on my internal
network.  The rules are setup properly, but I'm seeing some odd
behavior.  The client sends a packet to the ext_if of the firewall, the
gateway does redirect and NAT on the int_if, and sends it on to the
internal server.  Everything up to the packet hitting the server looks
Well, at this point this get wierd.  A tcpdump of all interfaces show
that the server *attempts* to send the return packet to the gateway, but
it uses the CLIENT mac address instead!  I've been beating my head
against the wall on this for a few days now (I have the tcpdump captures
and dented wall to prove it).
Well, things started to clear up a bit just now when I captured the
session with ethereal.  Around the 7th packet into the connection, the
gateway sends an ICMP redirect (type 5, code 1) to the server with the
client's IP as the "gateway"!  This appears to be causing the server to
route the return packets directly to the client interface, even though
the IP says otherwise.
Any idea what would cause this behavior?  Is this normal?  Is it a
byproduct of some weird conflicting pf rule?