Re: [m0n0wall] again: internal icmp redirects and static routes

From:	Dave Warren <maillist at devilsplayground dot net>
To:	Chris Buechler <cbuechler at gmail dot com>
Cc:	Harald Leinders <harald dot leinders at denkwerk dot com>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] again: internal icmp redirects and static routes
Date:	Sun, 16 Jan 2005 01:13:55 -0700

Chris Buechler wrote:

>ICMP redirects are a bad idea from a security perspective, so I'd stay
>away from that.  Ideally you should disable ICMP redirects on your
>machines because it would let somebody on your LAN do all kinds of
>nasty stuff with re-routing traffic.
>
>I question your statement about requiring static routes on 100 client
>machines, unless I'm missing something.  You should be able to put in
>static routes on m0n0wall pointing to that VPN gateway for the VPN
>subnets.
>  
>
Unless I'm mistaken, m0n0wall's static route table sends ICMP redirects 
to the machine sending traffic to m0n0wall when another route applies 
(at least if the other route's destination is on the LAN rather then the 
WAN...)

-- 
Usenet is like a herd of performing elephants with diarrhea --
massive, difficult to redirect, awe-inspiring, entertaining, and a
source of mind-boggling amounts of shit when you least expect it.