> - even if a first packet works, the FW IP stack should generate an ICMP
> redirect to your client, since the packet
> is relayed through the same interface it came in. the client should drop
> this redirect, since it is for a destination
> address that is not in its subnet. but you never know! sniff to see if
> that
> happens.
>
This was my theory, too (note that the same question was sent earlier last
week already). I have observed that some clients (I believe it was an NT 4.0
box) seem to get confused by ICMP redirects that don't fit in with their
idea of the world. We had a Linux box with two IP addresses aliased on one
NIC sitting on the same ethernet segment as two NT machines, one in each IP
subnet of the two the Linux box was in. The Linux box was supposed to route
between them and we wanted to get by with just one NIC. What happened is
that the first ping packet went through, but the Linux box sent the sending
NT box an ICMP redirect, since the Linux box knew that both NT boxes were on
the same network (i.e. out of the same NIC and on a directly attached
subnet). The sending NT box ceased to send the Linux box anything after
that. We used ipchains to prevent the ICMP redirects and then it worked
(there's a sysctl option to disable them, too, I believe).
Tobias
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
