On Thu, 2003-11-20 at 22:06, Christian Hammers wrote: > Hello > > It seems that my linux router is sending icmp redirect messages to a > host telling him that it should use a gateway which is not on the same > ip subnet. According to http://www.faqs.org/rfcs/rfc792.html this is > not valid and so I'm wondering. > > The problem occured when two hosts (.66.54 and .77.18) from two different > ip networks were connected on the same vlan on my linux router (.66.53). > During this time both were reachable from the internet but not from eachother. > One of the hosts received the following in its logfile:
I believe Linux will by default send ICMP redirects to hosts that are forwarding via the same interface (ethernet only?). The theory is, if the router got asked to forward a packet that came in and goes out the same interface, there must be more direct route that can bypass this router. I think there is a /proc flag you can toggle to change this behaviour. One complication you can hit with this behaviour is with state-full firewalls; because the first packet does go via the firewall, but subsequent packets use the ICMP redirected route, the connection tracking gets confused. Even worse, if you have some hosts that ignore the ICMP redirect (which some do by default), then you can have packets in one direction bypassing the firewall, but not the replies. In this case the firewall doesn't see the connection as established so doesn't forward the reply packets. I know shorewall has an option to allow "new-not-syn" packets through so that these replies do get forwarded. -- Donovan Baarda <[EMAIL PROTECTED]> http://minkirri.apana.org.au/~abo/
