[ previous ] [ next ] [ threads ]
 
 From:  Harald Leinders <harald dot leinders at denkwerk dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] again: internal icmp redirects and static routes
 Date:  Mon, 17 Jan 2005 09:55:40 +0100
Chris,

Am 16.01.2005 um 05:10 schrieb Chris Buechler:

> ICMP redirects are a bad idea from a security perspective, so I'd stay
> away from that.  Ideally you should disable ICMP redirects on your
> machines because it would let somebody on your LAN do all kinds of
> nasty stuff with re-routing traffic.
>

yes, I know, ICMP are BAD. But there are some rare cases where they are 
useful and neccessary, as in my LAN.

> I question your statement about requiring static routes on 100 client
> machines, unless I'm missing something.  You should be able to put in
> static routes on m0n0wall pointing to that VPN gateway for the VPN
> subnets.


Please note my update to my own posting. Of course it is possible to 
put in static routes in Monowall, but it simply didn't work. It was 
interceptet by an ipf rule which became active when traffic shaper has 
been enabled, nevertheless if it is activ any longer. (ipfw rule 19902 
when I remember it correctly).
After a reboot and leaving traffic shaper alone for now everything ist 
ok.

But anyway, thanks for the fast response.

Greetings from Cologne, Germany
Harald
--
consultant systeme / professional services


telefon +49 221 2942 200 | telefax +49 221 2942 101
www.denkwerk.com