So I'm still trying to get tcp reflection working on my internal network. The rules are setup properly, but I'm seeing some odd behavior. The client sends a packet to the ext_if of the firewall, the gateway does redirect and NAT on the int_if, and sends it on to the internal server. Everything up to the packet hitting the server looks hunky-dory.
Well, at this point this get wierd. A tcpdump of all interfaces show that the server *attempts* to send the return packet to the gateway, but it uses the CLIENT mac address instead! I've been beating my head against the wall on this for a few days now (I have the tcpdump captures and dented wall to prove it). Well, things started to clear up a bit just now when I captured the session with ethereal. Around the 7th packet into the connection, the gateway sends an ICMP redirect (type 5, code 1) to the server with the client's IP as the "gateway"! This appears to be causing the server to route the return packets directly to the client interface, even though the IP says otherwise. Any idea what would cause this behavior? Is this normal? Is it a byproduct of some weird conflicting pf rule? TIA, J.
