Re: PF Reflection (cont'd)

On Sat, 2002-11-16 at 05:14, Cedric Berger wrote:
> Camiel Dobbelaar wrote:
> >>Well, things started to clear up a bit just now when I captured the
> >>session with ethereal.  Around the 7th packet into the connection, the
> >>gateway sends an ICMP redirect (type 5, code 1) to the server with the
> >>client's IP as the "gateway"!  This appears to be causing the server to
> >>route the return packets directly to the client interface, even though
> >>the IP says otherwise.
> >>
> >>Any idea what would cause this behavior?  Is this normal?  Is it a
> >>byproduct of some weird conflicting pf rule?
> >>
> Yes.
> I've used exactly the same configuration you're using
> (i.e double NAT). And I got the same problem (ICMP redirect):
> >Blocking those redirects on the gateway may well not be possible,
> >since pf matches ICMP errors automagically to existing states.
> >
> On the contrary, It is very easy:
> sysctl -w net.inet.ip.redirect=0
> Cedric
Thank you!!!  Where should I send the beer?  ;-)