[ previous ] [ next ] [ threads ]
 
 From:  Dave Warren <maillist at devilsplayground dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] again: internal icmp redirects and static routes
 Date:  Tue, 18 Jan 2005 14:23:27 -0700
Chris Buechler wrote:

>On Sun, 16 Jan 2005 01:13:55 -0700, Dave Warren
><maillist at devilsplayground dot net> wrote:
>  
>
>>Unless I'm mistaken, m0n0wall's static route table sends ICMP redirects
>>to the machine sending traffic to m0n0wall when another route applies
>>(at least if the other route's destination is on the LAN rather then the
>>WAN...)
>>
>Yep, just tried it and it sure does, under those circumstances. 
>That's the default behavior of most equipment, though not most
>firewalls I believe.  The commercial one I'm most familiar with, Cisco
>PIX, will outright drop any packets coming in on an interface that are
>supposed to be routed out the same interface (stupid limitation, but
>beside the point).
>
>No harm in sending them (the device isn't required to comply), since
>technically it probably should to comply with RFC's.  I'm going to
>check to see if it accepts them, since that'd be a risk.
>  
>
I'm not aware of any RFC which requires sending the redirect packet, but 
it's a good idea since if the client receives and honours the packet, 
the firewall doesn't have to worry about redirecting the traffic anymore.

Unfortunately there is no way to broadcast when a static route is 
deleted and the entry should be dropped from the route tables.  With 
Windows based clients a reboot is the easiest way to fix the problem 
(yes, you can use the route command -- But many corporate networks don't 
give users the ability to use the route command, nor do you want users 
playing with it needlessly)

-- 
They call it "PMS" because "Mad Cow Disease" was already taken