[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF Reflection (cont'd)
On Sat, 2002-11-16 at 04:20, Camiel Dobbelaar wrote:
> On 15 Nov 2002, Jason Dixon wrote:
> > Well, things started to clear up a bit just now when I captured the
> > session with ethereal. Around the 7th packet into the connection, the
> > gateway sends an ICMP redirect (type 5, code 1) to the server with the
> > client's IP as the "gateway"! This appears to be causing the server to
> > route the return packets directly to the client interface, even though
> > the IP says otherwise.
> > Any idea what would cause this behavior? Is this normal? Is it a
> > byproduct of some weird conflicting pf rule?
> Gateways send ICMP redirects if they notice that a routed packet leaves
> the same interface as where it came in on. That's normal behavior.
> In your case the packet is NAT'ed twice though, which probably confuses
> the network stack as much as it does me. :-)
> Blocking those redirects on the gateway may well not be possible,
> since pf matches ICMP errors automagically to existing states.
> What does the ICMP redirect look like exactly?
Which bits? It's a type 5 (redirect) icmp packet with a source of the
firewall's internal interface and a destination of the server. Tells
the server that the "gateway address" should be "the client's IP".
I know it sounds odd, but both the FAQ and Daniel claim (and I believe
them) that this setup should work. It may be ugly, but it's been
tested. I see what you're saying though, about the packet crossing the
same interface. It seems as though we really should be doing the
redirect on the external interface. *sigh*