Re: Why is Linux sending icmp redirects...
On Thu, 2003-11-20 at 22:06, Christian Hammers wrote:
> Hello
>
> It seems that my linux router is sending icmp redirect messages to a
> host telling him that it should use a gateway which is not on the same
> ip subnet. According to http://www.faqs.org/rfcs/rfc792.html this is
> not valid and so I'm wondering.
>
> The problem occured when two hosts (.66.54 and .77.18) from two different
> ip networks were connected on the same vlan on my linux router (.66.53).
> During this time both were reachable from the internet but not from eachother.
> One of the hosts received the following in its logfile:
I believe Linux will by default send ICMP redirects to hosts that are
forwarding via the same interface (ethernet only?). The theory is, if
the router got asked to forward a packet that came in and goes out the
same interface, there must be more direct route that can bypass this
router.
I think there is a /proc flag you can toggle to change this behaviour.
One complication you can hit with this behaviour is with state-full
firewalls; because the first packet does go via the firewall, but
subsequent packets use the ICMP redirected route, the connection
tracking gets confused. Even worse, if you have some hosts that ignore
the ICMP redirect (which some do by default), then you can have packets
in one direction bypassing the firewall, but not the replies. In this
case the firewall doesn't see the connection as established so doesn't
forward the reply packets. I know shorewall has an option to allow
"new-not-syn" packets through so that these replies do get forwarded.
--
Donovan Baarda <abo@minkirri.apana.org.au>
http://minkirri.apana.org.au/~abo/
Reply to: