icmp redirect blocked?

Paul Bijnens email hidden
Thu Sep 27 17:05:03 CEST 2007 

We're in the process of migrating a network (class C getting too small).
To avoid one massive downtime, we migrate groups of computers to
the new ip-numbers from from the old net 192.168.1.X/16 to the
new, larger 10.10.X.X/16.
Both networks are actually on the same ethernet segment.  Many of the
servers got a dual IP-number in both ranges, so that they can be reached
from both ip-ranges.
For some computers this is not so easy, so they need to be routed
through a gateway.  That gateway is also our firewall, running FIAIF.
It just has 2 ipaddresses on the internal interface:  192.168.1.1
and 10.10.1.1.

One "strange" this is I needed to allow traffic from that internal
zone back to the same internal zone with an explicit rule.
So I have in my zone.int:
   FORWARD[0]="INT ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"
OK, this seems to allow the firewall to be used as router .

There another host that is currently the router to some little branches.
The "main" gateway has routing entries for those networks pointing
to that other gateway.
So, when someone wants to connect to 192.168.2.1, his PC sends the
packet to his default gateway, 192.168.1.1, which sends an "icmp 
redirect" to the other gateway.  However this "icmp redirect" package
is dropped by the FIAIF firewall: see last entry in the SANITY chain.
And because SANITY is examined before the forward above, the connection
fails.

Am I doing something stupid?
(Real soon now, we will have only 1 network on the internal interface,
but I just wanted to understand what is going on, and why.)


-- 
Paul Bijnens, xplanation Technology Services        Tel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM    Fax  +32 16 397.512
http://www.xplanation.com/          email:  Paul.Bijnens at xplanation.com
***********************************************************************
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out          *
***********************************************************************

More information about the fiaif mailing list