[wellylug] Disabling ICMP Redirects from a Router
Ewen McNeill
wellylug at ewen.mcneill.gen.nz
Mon Oct 11 18:19:55 NZDT 2004
In message <1097470759.551.2.camel at localhost.localdomain>, Jethro Carr writes:
>On Tue, 2004-10-12 at 06:38, Chris Hodgetts wrote:
>> Does anyone know how to disable a router/gateway from sending ICMP
>> Redirect packets out? [....]
>
>However, you really should be looking at whatever is being broken by the
>ICMP packets - that's the real problem.
I suspect that it's breaking NAT, and it's breaking NAT because you end
up with an asymetric path for the packets (ie, incoming is different
from outgoing), so that the "unmunging" for the NAT is not being
applied.
It's also possible that it is breaking stateful firewalling, but that's
less likely as I haven't seen ICMP redirects being generated in a
situation where stateful firewalling is involved, but I've seen it
relatively often when NAT is involved.
Essentially once you start adding NAT to your network -- and
unfortunately I suspect the vast majority of networks in the world these
days have some NAT in them somewhere -- you have to expect strange
things to happen in some instances.
Ewen
More information about the wellylug
mailing list