Re: Disable send ICMP redirect?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Thu, 29 Jun 2006 19:22:26 -0500
On 28 Jun 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<1151525156.121357.266510@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, bota.florin@xxxxxxxxx
wrote:
It acts as a firewall connecting the local net to different remote
networks (uses for that a separate network interface and connects through
4 different cisco routers) and should forward all Internet traffic to a
router connected to internet (which is on the same local network - both
router and firewall use 192.168.10.0/24 class addresses, the hosts have
addresses from the same class).
Your description is not that clear. Does the router configuration look
like this (use a fixed font in your browser)
---------------------
hosts ------|eth0 Linux box eth1|-----router to world
192.168.10.x | | 192.168.10.y
| eth2|--- some other router
| | 10.10.10.x
| eth3|--- yet another router
--------------------- 172.16.16.x
or are the hosts and router to the world connected to the _same_ network
card like this
---------------------
hosts ------|eth0 Linux box eth1|----- some other router
| | | 10.10.10.x
router --- | eth2|--- yet another router
--------------------- 172.16.16.x
It forwards correctly traffic to the remote networks, but for the
Internet traffic it answers by sending an ICMP redirect, which is conform
to the standard.
This should happen in the second diagram - traffic comes in on eth0, and
is being sent onwards through the same eth0. This is a terrible design
for a network firewall. I think we need to see the routing table.
There could also be confusing in the top diagram (where only the router
is on eth1, and the hosts are on eth0) if you have identical network routes
on eth0 and eth1. If the same address range is used on both interfaces, the
router interface need to be a 'host' route rather than a network route.
Is it possible to disable the sending of ICMP redirect and linux
forward the packets to the correct router (even if the host and the
router are on the same network)? I know this will efectivelly increase
the traffic but it will allow the firewall to correctlly check the
packets.
This really sounds like the hosts and router are on the same wire, which
makes the firewall nearly useless. The firewall must stand between the
two, and this can only be done by having the router on a different NIC
than the hosts.
Old guy
.
- References:
- Disable send ICMP redirect?
- From: bota . florin
- Disable send ICMP redirect?
- Prev by Date: Should the number of compute nodes in cluster be power of 2 ?
- Next by Date: Re: Newbie Questions
- Previous by thread: Disable send ICMP redirect?
- Next by thread: ypserv answers very slow/too late for login manager
- Index(es):
Relevant Pages
|
