Re: PF Reflection (cont'd)

On 15 Nov 2002, Jason Dixon wrote:
> Well, things started to clear up a bit just now when I captured the
> session with ethereal.  Around the 7th packet into the connection, the
> gateway sends an ICMP redirect (type 5, code 1) to the server with the
> client's IP as the "gateway"!  This appears to be causing the server to
> route the return packets directly to the client interface, even though
> the IP says otherwise.
> Any idea what would cause this behavior?  Is this normal?  Is it a
> byproduct of some weird conflicting pf rule?
Gateways send ICMP redirects if they notice that a routed packet leaves
the same interface as where it came in on.   That's normal behavior.
In your case the packet is NAT'ed twice though, which probably confuses
the network stack as much as it does me.  :-)
Blocking those redirects on the gateway may well not be possible,
since pf matches ICMP errors automagically to existing states.
What does the ICMP redirect look like exactly?