On Tue, Jan 15, 2013 at 09:46:37AM -0600, Karl O. Pinc wrote:

> Something that's not mentioned that
> comes to mind is ICMP redirection.  (Without thinking
> about it a lot it seems like it should be a good candidate.)
> However when I tried ICMP redirection on OpenBSD
> years ago I couldn't get it to work.  Never looked to see why, 
> or whether it's been fixed since.  Or, I might have been doing 
> something wrong.   If anyone can send a clue my way
> I'd appreciate knowing more.

An ICMP redirect, if it is honored by a client, does not mean "if you
want to talk to external-server, connect to proxy-on-local-network
instead", but "if you want to reach external-server, route through

The difference is that the reaction will not change the destination
IP address, but the destination MAC address. Its really the same as if
you added a temporary host route on the client.

The proxy will simply ignore the IP packet for a foreign IP address sent
to its MAC address (like a default gateway that has IP forwarding

OpenBSD ignores ICMP redirects by default, you can enable it with sysctl
net.inet.icmp.rediraccept, if you want to try. The security risk is that
someone on the local network could send you ICMP redirects for various
destinations (like DNS server), for a man-in-the-middle attack.


Reply via email to