Camiel Dobbelaar wrote:
On 15 Nov 2002, Jason Dixon wrote:
Well, things started to clear up a bit just now when I captured the
session with ethereal. Around the 7th packet into the connection, the
gateway sends an ICMP redirect (type 5, code 1) to the server with the
client's IP as the "gateway"! This appears to be causing the server to
route the return packets directly to the client interface, even though
the IP says otherwise.
Any idea what would cause this behavior? Is this normal? Is it a
byproduct of some weird conflicting pf rule?
Yes.
I've used exactly the same configuration you're using
(i.e double NAT). And I got the same problem (ICMP redirect):
Blocking those redirects on the gateway may well not be possible,
since pf matches ICMP errors automagically to existing states.
On the contrary, It is very easy:
sysctl -w net.inet.ip.redirect=0
Cedric
