[ previous ] [ next ] [ threads ]
 From:  Dave Warren <maillist at devilsplayground dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] again: internal icmp redirects and static routes
 Date:  Tue, 18 Jan 2005 14:23:27 -0700
Chris Buechler wrote:

>On Sun, 16 Jan 2005 01:13:55 -0700, Dave Warren
><maillist at devilsplayground dot net> wrote:
>>Unless I'm mistaken, m0n0wall's static route table sends ICMP redirects
>>to the machine sending traffic to m0n0wall when another route applies
>>(at least if the other route's destination is on the LAN rather then the
>Yep, just tried it and it sure does, under those circumstances. 
>That's the default behavior of most equipment, though not most
>firewalls I believe.  The commercial one I'm most familiar with, Cisco
>PIX, will outright drop any packets coming in on an interface that are
>supposed to be routed out the same interface (stupid limitation, but
>beside the point).
>No harm in sending them (the device isn't required to comply), since
>technically it probably should to comply with RFC's.  I'm going to
>check to see if it accepts them, since that'd be a risk.
I'm not aware of any RFC which requires sending the redirect packet, but 
it's a good idea since if the client receives and honours the packet, 
the firewall doesn't have to worry about redirecting the traffic anymore.

Unfortunately there is no way to broadcast when a static route is 
deleted and the entry should be dropped from the route tables.  With 
Windows based clients a reboot is the easiest way to fix the problem 
(yes, you can use the route command -- But many corporate networks don't 
give users the ability to use the route command, nor do you want users 
playing with it needlessly)

They call it "PMS" because "Mad Cow Disease" was already taken