[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] again: internal icmp redirects and static routes
 Date:  Mon, 17 Jan 2005 04:36:59 -0500
On Sun, 16 Jan 2005 01:13:55 -0700, Dave Warren
<maillist at devilsplayground dot net> wrote:
> Unless I'm mistaken, m0n0wall's static route table sends ICMP redirects
> to the machine sending traffic to m0n0wall when another route applies
> (at least if the other route's destination is on the LAN rather then the
> WAN...)

Yep, just tried it and it sure does, under those circumstances. 
That's the default behavior of most equipment, though not most
firewalls I believe.  The commercial one I'm most familiar with, Cisco
PIX, will outright drop any packets coming in on an interface that are
supposed to be routed out the same interface (stupid limitation, but
beside the point).

No harm in sending them (the device isn't required to comply), since
technically it probably should to comply with RFC's.  I'm going to
check to see if it accepts them, since that'd be a risk.

> Please note my update to my own posting. Of course it is possible to
> put in static routes in Monowall, but it simply didn't work. It was
> interceptet by an ipf rule which became active when traffic shaper has
> been enabled, nevertheless if it is activ any longer. (ipfw rule 19902
> when I remember it correctly).
> After a reboot and leaving traffic shaper alone for now everything ist
> ok.

Can you send some more details on that?  Specifically, what is the
rule that's dropping it?  Dropping the ICMP redirect, or?  Sounds like
that might be a bug, or an unintended consequence at least.