icmp redirect blocked?

postmaster email hidden
Fri Sep 28 23:57:22 CEST 2007 

ICMP redirects are blocked as they are considered untrustworthy. They
allow outside systems to change the routing tables, which is not at all
secure. You should configure the client PC correctly rather than relying
on insecure ICMP redirect pacekts.

Temporarily you can comment out the line in sanity_check.sh

Btw. You must know that routing to/from the same interface is ill
advised at it causes massive lots of packet collisions.

Regards
Anders Fugmann



Paul Bijnens wrote:
> We're in the process of migrating a network (class C getting too small).
> To avoid one massive downtime, we migrate groups of computers to
> the new ip-numbers from from the old net 192.168.1.X/16 to the
> new, larger 10.10.X.X/16.
> Both networks are actually on the same ethernet segment.  Many of the
> servers got a dual IP-number in both ranges, so that they can be reached
> from both ip-ranges.
> For some computers this is not so easy, so they need to be routed
> through a gateway.  That gateway is also our firewall, running FIAIF.
> It just has 2 ipaddresses on the internal interface:  192.168.1.1
> and 10.10.1.1.
> 
> One "strange" this is I needed to allow traffic from that internal
> zone back to the same internal zone with an explicit rule.
> So I have in my zone.int:
>    FORWARD[0]="INT ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"
> OK, this seems to allow the firewall to be used as router .
> 
> There another host that is currently the router to some little branches.
> The "main" gateway has routing entries for those networks pointing
> to that other gateway.
> So, when someone wants to connect to 192.168.2.1, his PC sends the
> packet to his default gateway, 192.168.1.1, which sends an "icmp 
> redirect" to the other gateway.  However this "icmp redirect" package
> is dropped by the FIAIF firewall: see last entry in the SANITY chain.
> And because SANITY is examined before the forward above, the connection
> fails.
> 
> Am I doing something stupid?
> (Real soon now, we will have only 1 network on the internal interface,
> but I just wanted to understand what is going on, and why.)
> 
>

More information about the fiaif mailing list