[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PF Reflection (cont'd)
On Sat, 2002-11-16 at 05:14, Cedric Berger wrote:
> Camiel Dobbelaar wrote:
> >>Well, things started to clear up a bit just now when I captured the
> >>session with ethereal. Around the 7th packet into the connection, the
> >>gateway sends an ICMP redirect (type 5, code 1) to the server with the
> >>client's IP as the "gateway"! This appears to be causing the server to
> >>route the return packets directly to the client interface, even though
> >>the IP says otherwise.
> >>Any idea what would cause this behavior? Is this normal? Is it a
> >>byproduct of some weird conflicting pf rule?
> I've used exactly the same configuration you're using
> (i.e double NAT). And I got the same problem (ICMP redirect):
> >Blocking those redirects on the gateway may well not be possible,
> >since pf matches ICMP errors automagically to existing states.
> On the contrary, It is very easy:
> sysctl -w net.inet.ip.redirect=0
Thank you!!! Where should I send the beer? ;-)