[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ICMP redirect problem

Hello lads,

I had a strange problem today changing over a firewall at work.

It was a simple swap-out/swap-in job, keeping the same ipf.rules,
ipnat.rules, etc, with only the interface names changing.  All
the routing, sysctl's etc was the same.

However, one of our ethernet segments has two IP networks on it
x.x.x.x, y.y.y.y.  Setting up 98 boxes to talk to both
networks at once has been a bit of a disaster, so I installed
a Solaris box as a router ( I know, I know, it's being replaced =) ).
This box sits 'on' the eth segment, and the openbsd box sits at the
border of the segment.

Unfortunately, one of the workstations was misconfigured and was
pointing to the OpenBSD box as it's default gateway (ie: it was
on x.x.x.x, and if it wanted to get to a host on y.y.y.y, it went
through the gateway).

When the new firewall was installed, this machine stopped working.
After some investigation I discovered that the router was sending
it ICMP redirect's saying the host it was trying to reach was local.
The client was ignoring this and kept sending the packets to the firewall
to be routed to the end host.  The old firewall was forwarding the
packets as well as sending the redirect, the new firewall seems
only to be sending the redirect and silently dropping the packets!

Anyone have any ideas on what this is?  The rogue machine has been
reconfigured, but I'd like to know what I've missed.