[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Harald Leinders <harald dot leinders at denkwerk dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] again: internal icmp redirects and static routes
 Date:  Sat, 15 Jan 2005 23:10:41 -0500
On Fri, 14 Jan 2005 12:26:51 +0100, Harald Leinders
<harald dot leinders at denkwerk dot com> wrote:
> 
> I'm managing a LAN with about 100 client ip's. I'd like to replace my
> main gateway (a netboz)  with a monowall. My LAN is connected via VPN
> to several customers (Subnet-to-subnet), located parallel to the main
> gateway (hardware solutions, cannot be substitued, see below). The only
> way to establish this setup (beside entering static routes in 100
> clients :) is to use internal icmp redirects. monowall seems to block
> this kind of icmp traffic. Is there any way to enable it?
> 

ICMP redirects are a bad idea from a security perspective, so I'd stay
away from that.  Ideally you should disable ICMP redirects on your
machines because it would let somebody on your LAN do all kinds of
nasty stuff with re-routing traffic.

I question your statement about requiring static routes on 100 client
machines, unless I'm missing something.  You should be able to put in
static routes on m0n0wall pointing to that VPN gateway for the VPN
subnets.

-Chris