On Sat, 2002-11-16 at 04:20, Camiel Dobbelaar wrote: > > On 15 Nov 2002, Jason Dixon wrote: > > Well, things started to clear up a bit just now when I captured the > > session with ethereal. Around the 7th packet into the connection, the > > gateway sends an ICMP redirect (type 5, code 1) to the server with the > > client's IP as the "gateway"! This appears to be causing the server to > > route the return packets directly to the client interface, even though > > the IP says otherwise. > > > > Any idea what would cause this behavior? Is this normal? Is it a > > byproduct of some weird conflicting pf rule? > > Gateways send ICMP redirects if they notice that a routed packet leaves > the same interface as where it came in on. That's normal behavior. > > In your case the packet is NAT'ed twice though, which probably confuses > the network stack as much as it does me. :-) > > Blocking those redirects on the gateway may well not be possible, > since pf matches ICMP errors automagically to existing states. > > What does the ICMP redirect look like exactly?
Which bits? It's a type 5 (redirect) icmp packet with a source of the firewall's internal interface and a destination of the server. Tells the server that the "gateway address" should be "the client's IP". I know it sounds odd, but both the FAQ and Daniel claim (and I believe them) that this setup should work. It may be ugly, but it's been tested. I see what you're saying though, about the packet crossing the same interface. It seems as though we really should be doing the redirect on the external interface. *sigh* -J.
