[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF Reflection (cont'd)

On Sat, 2002-11-16 at 04:20, Camiel Dobbelaar wrote:
> On 15 Nov 2002, Jason Dixon wrote:
> > Well, things started to clear up a bit just now when I captured the
> > session with ethereal.  Around the 7th packet into the connection, the
> > gateway sends an ICMP redirect (type 5, code 1) to the server with the
> > client's IP as the "gateway"!  This appears to be causing the server to
> > route the return packets directly to the client interface, even though
> > the IP says otherwise.
> >
> > Any idea what would cause this behavior?  Is this normal?  Is it a
> > byproduct of some weird conflicting pf rule?
> Gateways send ICMP redirects if they notice that a routed packet leaves
> the same interface as where it came in on.   That's normal behavior.
> In your case the packet is NAT'ed twice though, which probably confuses
> the network stack as much as it does me.  :-)
> Blocking those redirects on the gateway may well not be possible,
> since pf matches ICMP errors automagically to existing states.
> What does the ICMP redirect look like exactly?
Which bits?  It's a type 5 (redirect) icmp packet with a source of the
firewall's internal interface and a destination of the server.  Tells
the server that the "gateway address" should be "the client's IP".
I know it sounds odd, but both the FAQ and Daniel claim (and I believe
them) that this setup should work.  It may be ugly, but it's been
tested.  I see what you're saying though, about the packet crossing the
same interface.  It seems as though we really should be doing the
redirect on the external interface.  *sigh*