Thus said "Jose Fragoso" on Thu, 18 Oct 2012 15:01:39 EDT: > Some are. But I think that the firewall is generating redirects only > when it sees other icmp redirects from other sources.
We need to identify the source of the packets that are causing the ICMP redirects and then identify the source of the actual ICMP redirect packets themselves. The fact that you have two logical subnets on the same interface might be a contributing factor (I've seen this before but I don't recall under what conditions). If you look at /usr/src/sys/netinet/ip_input.c, 'round about line 1480, it will give you all the conditions underwhich OpenBSD will send ICMP redirects. Any chance that you could send some tcpdump output showing both the source of the packets and then the ICMP redirect packets being sent in response? > Anyway, I would like to stop that. But how? I tried to block using PF > and also tried sysctl. Before you can stop anything you have to understand what is going on. At this point it's too early to say how to stop it because there isn't enough information to determine the cause. In general, ICMP redirects only get sent by gateway systems. Do you have other gateways involved here? Perhaps your OpenBSD firewall is forwarding packets to another gateway and it the next hop is on the same interface that the packet arrived on, so it sends your OpenBSD an ICMP redirect. Perhaps a host on sk0 is sending to another subnet routed through sk0, and your OpenBSD firewall is sending ICMP redirect s. Too much guess work at this point to know what you can do to stop it. So, let's see if we can identify the source IP, the destination IP, and which IP is sending the redirects in a few situations. Andy
