On Sat, 2002-11-16 at 05:14, Cedric Berger wrote: > Camiel Dobbelaar wrote: > >>Well, things started to clear up a bit just now when I captured the > >>session with ethereal. Around the 7th packet into the connection, the > >>gateway sends an ICMP redirect (type 5, code 1) to the server with the > >>client's IP as the "gateway"! This appears to be causing the server to > >>route the return packets directly to the client interface, even though > >>the IP says otherwise. > >> > >>Any idea what would cause this behavior? Is this normal? Is it a > >>byproduct of some weird conflicting pf rule? > >> > Yes. > I've used exactly the same configuration you're using > (i.e double NAT). And I got the same problem (ICMP redirect): > > >Blocking those redirects on the gateway may well not be possible, > >since pf matches ICMP errors automagically to existing states. > > > On the contrary, It is very easy: > sysctl -w net.inet.ip.redirect=0 > Cedric
Thank you!!! Where should I send the beer? ;-) -J.
