On Thu, Jun 06, 2002 at 09:55:09AM -0400, Joe Patterson wrote: > That's interesting... I guess it could make sense... sort of... > > but, to be really obnoxious about it, I would think it would make sense to > have rules such as: > > for IF in `ifconfig | cut -d " " -f 1 | grep -v ^$`; do > $IPT -A INPUT -p icmp --icmp-type 5 -m state --state RELATED -i $IF -s `ip > addr ls dev $IF | grep inet | cut -d " " -f 6` -j ACCEPT > done > > and > > $IPT -A FORWARD -p icmp --icmp-type 5 -j DROP > > on the basis of my belief that you should never ever have a redirect > crossing a router, but you *may* want to accept redirects from local > gateways... > > Any thoughts?
You're absolutely right. An ICMP redirect is sent from one interface to another interface on the _same_ subnet. In some ways it should be seen as something like an ARP which has a layer 2 significance. However, proxying ARP make sense but proxying (or forwarding in general) of an ICMP redirect does not make sense at all. Whether it could be seen as RELATED or not is sort of philosophical matter as ICMP redirect is meant to _notify_ a forwarding entity of the existence of a better next-hop on the _same_ subnet. So, is this kind of thing RELATED? Yes, in the sense that it is caused by the forwarding of _that_ packet and no, in the sense that the same redirect could get triggered by lots of other non related conn's and besides ignoring these redirects would not harm the communication at all. Ramin > > -Joe
