Kernel decision logic on ICMP redirect
I have a network: NetA - GW1 --- GW2 - NetB |- GW3 - NetC HostFoo - | GW1 is a Cisco router running OSPF. GW2 is FreeBSD 9.1 running OSPF via Quagga, and is forwarding. GW3 is FreeBSD 9.1 connected to another network and is forwarding. GW2 has a static route pointing to NetC. HostFoo has a default route (only) to GW2 and can ping a host on NetC because it gets an ICMP redirect from GW2 (FreeBSD) to GW3. However, if HostFoo pings a a host on NetA it DOES NOT get a ICMP redirect from GW2. Looking through the kernel code, which is where I need help, it seems routes learned DYNAMIC, in this case GW2 via OSPF from GW1, are not routes for which redirects will be generated by GW2. Is that true? What is it I need to do to convenience GW2 to generate redirects for learned routes? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ICMP redirect
On 25 mei 2005, at 17:55, Charles Swiger wrote: On May 25, 2005, at 11:46 AM, FreeBSD questions mailing list wrote: Lately i get a lot (really a lot) of these errors: icmp redirect from 127.0.0.1: my outside IP = 127.0.0.1 I have no idea where they come from and better how to get rid of them... Can anyone point me in a direction to solve this problem? You are probably trying to access services on the localhost via the name of your outside IP, rather than via localhost. I would gather than you are running NAT somewhere. You can set up /etc/hosts so that name refers to the inside IP addr, or set up split DNS. Another way would be to add an alias of your outside IP on the machine... -- -Chuck thanks Arno ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ICMP redirect
Hello, Lately i get a lot (really a lot) of these errors: icmp redirect from 127.0.0.1: my outside IP = 127.0.0.1 I have no idea where they come from and better how to get rid of them... Can anyone point me in a direction to solve this problem? Thanks in advance Arno my firewall rules: #!/bin/sh Start of IPFW rules file ### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add skip=skipto 800 pif=rl0 # public interface name of NIC # facing the public Internet # # No restrictions on Inside LAN Interface for private network # Change xl0 to your LAN NIC interface name # $cmd 005 allow all from any to any via rl1 $cmd 006 allow all from any to any via rl2 # # No restrictions on Loopback Interface # $cmd 010 allow all from any to any via lo0 # # check if packet is inbound and nat address if it is # $cmd 014 divert natd ip from any to any in via $pif # # Allow the packet through if it has previous been added to the # the dynamic rules table by a allow keep-state statement. # $cmd 015 check-state # # Interface facing Public Internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public Internet. # # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip udp from any to 194.159.73.137 53 out via $pif keep-state $cmd 021 $skip udp from any to 194.159.73.138 53 out via $pif keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. #$cmd 030 $skip udp from any to 82.161.19.0/24 67 out via $pif keep- state $cmd 031 $skip udp from any to 82.161.19.255 520 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FreeBSD (make install CVSUP) functions # Basically give user root GOD privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (i.e. news groups) #$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $pif keep-state # Allow FTP $cmd 140 $skip all from any to any 20,21 out via $pif setup keep-state # Allow $cmd 200 $skip all from any to any 5060,5190,5297,5298,16384-16403 out via $pif setup keep-state $cmd 201 $skip all from any to any 1863 out via $pif setup keep-state $cmd 202 $skip all from any to any 8000,8001,8040,8950,9210 out via $pif setup keep-state $cmd 203 $skip udp from 82.161.18.200 to 66.172.95.197 5499 out via $pif keep-state $cmd 204 $skip tcp from any to any 5500,5501 out via $pif setup keep- state $cmd 205 $skip all from any to any 554 out via $pif setup keep-state $cmd 206 $skip tcp from any to any 6881-6889 out via $pif setup keep- state $cmd 207 $skip tcp from any to any 6346 out via $pif setup keep-state $cmd 208 $skip all from any to any 2401 out via $pif setup keep-state # # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. # # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC
Re: ICMP redirect
On May 25, 2005, at 11:46 AM, FreeBSD questions mailing list wrote: Lately i get a lot (really a lot) of these errors: icmp redirect from 127.0.0.1: my outside IP = 127.0.0.1 I have no idea where they come from and better how to get rid of them... Can anyone point me in a direction to solve this problem? You are probably trying to access services on the localhost via the name of your outside IP, rather than via localhost. I would gather than you are running NAT somewhere. You can set up /etc/hosts so that name refers to the inside IP addr, or set up split DNS. Another way would be to add an alias of your outside IP on the machine... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: route entries after ICMP redirect
Sergey Matveychuk wrote: I've got some problem with route entries that was created after ICMP redirect messages. They are never expired. Our default gateway (it's a HP switch) send ICMP redirect messages if it see a short path to destination. It's makes it not so overloaded. But pathes sometime changed. There is no problem with Windows workstations, they are rebooted daily. But my FreeBSD boxes hold dinamic route entries forever. I've looked through RFCs and Stevens' books and found no answer on what TTL for this entries. Now I just add route flush as cron job. But may be there is another way? This has been fixed in CVS in MAIN (rev. 1.52) and MFC'ed to RELENG_4 (rev. 1.37.2.5) and RELENG_5 (rev. 1.51.4.2) a couple of weeks ago: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/in_rmx.c So either syncing to one of these branches or applying the relevant patch manually to your kernel sources ought to solve the problem. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers [EMAIL PROTECTED] | http://www.escapebox.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: route entries after ICMP redirect
Uwe Doering wrote: This has been fixed in CVS in MAIN (rev. 1.52) and MFC'ed to RELENG_4 (rev. 1.37.2.5) and RELENG_5 (rev. 1.51.4.2) a couple of weeks ago: Oh, thank you! And thanks to [EMAIL PROTECTED] -- Sem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
route entries after ICMP redirect
I've got some problem with route entries that was created after ICMP redirect messages. They are never expired. Our default gateway (it's a HP switch) send ICMP redirect messages if it see a short path to destination. It's makes it not so overloaded. But pathes sometime changed. There is no problem with Windows workstations, they are rebooted daily. But my FreeBSD boxes hold dinamic route entries forever. I've looked through RFCs and Stevens' books and found no answer on what TTL for this entries. Now I just add route flush as cron job. But may be there is another way? -- Sem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: route entries after ICMP redirect
Sergey Matveychuk wrote: I've got some problem with route entries that was created after ICMP redirect messages. They are never expired. Our default gateway (it's a HP switch) send ICMP redirect messages if it see a short path to destination. It's makes it not so overloaded. But pathes sometime changed. There is no problem with Windows workstations, they are rebooted daily. But my FreeBSD boxes hold dinamic route entries forever. I've looked through RFCs and Stevens' books and found no answer on what TTL for this entries. Now I just add route flush as cron job. But may be there is another way? Quoting this http://www.bsdbooks.net/shells/sysctl.html, The third concept that we want to strengthen our box against is redirects. In a well-designed network, redirects to the end stations should not be required. Both the sending and accepting of redirects should be disabled. Again to achieve this first run the command and then add to /etc/rc.conf: #sysctl -w net.inet.icmp.drop_redirect=1 #sysctl -w net.inet.icmp.log_redirect=1 #sysctl -w net.inet.ip.redirect=0 #sysctl -w net.inet6.ip6.redirect=0 Best wishes, Andrew P. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: route entries after ICMP redirect
At Sun, 10 Apr 2005 15:14:59 +0400, Sergey Matveychuk wrote: I've got some problem with route entries that was created after ICMP redirect messages. They are never expired. Our default gateway (it's a HP switch) send ICMP redirect messages if it see a short path to destination. It's makes it not so overloaded. But pathes sometime changed. There is no problem with Windows workstations, they are rebooted daily. But my FreeBSD boxes hold dinamic route entries forever. I've looked through RFCs and Stevens' books and found no answer on what TTL for this entries. Now I just add route flush as cron job. But may be there is another way? Routes set through the redirect path do not have a timeout associated with them. The redirect message usually implies an error in the network setup of your machines which would have to be handled by a human being changing the configuration. If you want to handle this in a more clever way than a cron job you could write a small daemon which reads routing messages and does the right thing for whatever your situation is. Later, George ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: route entries after ICMP redirect
[EMAIL PROTECTED] wrote: If you want to handle this in a more clever way than a cron job you could write a small daemon which reads routing messages and does the right thing for whatever your situation is. I've explore a code and found I can do quite easy addition for dynamic routes - fill an expire field, check it periodicaly and remove expired entries (just like for arp entries). I think to do a sysctl variable for indication what time will set as expire values and set it to zero by default (no expires). -- Sem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ICMP redirect
This isn't critical, but I'm wondering if someone can tell me what is going on here. I did traceroute 217.20.241.75 and got several of the following on ttyv0, which displays kernel and other messages: icmp redirect from 213.232.120.198: 217.20.241.75 = 213.232.120.194 I'm guessing that the router at 213.232.120.198 is redirecting ICMP packets, but why is this information showing up on the tty that handles internal messages? Bob Hall ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ICMP redirect
In the last episode (Jul 09), Bob Hall said: This isn't critical, but I'm wondering if someone can tell me what is going on here. I did traceroute 217.20.241.75 and got several of the following on ttyv0, which displays kernel and other messages: icmp redirect from 213.232.120.198: 217.20.241.75 = 213.232.120.194 I'm guessing that the router at 213.232.120.198 is redirecting ICMP packets, but why is this information showing up on the tty that handles internal messages? You probably have the net.inet.icmp.log_redirect sysctl set to 1. It defaults to 0. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
