ICMP redirect and transparent firewalls

Peter Benie (pjb1008@cam.ac.uk)
Fri, 15 Jan 1999 18:56:53 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Vladimir Dergachev: "Re: Internal Modems"
Previous message: Barrett G. Lyon: "Bug(?): Network Oddities on AXP in PRE5."

I've just discovered an interesting interaction between icmp redirect
and transparent firewalls:

I have a machine running 2.2-pre4 that I intend to use as a packet
filter. I want to make it transparent so that if it develops a fault,
I can just remove it from the network. To achieve this, I have
turned on ip_forward, conf/all/accept_redirect and conf/all/proxy_arp
under /proc/sys/net. Both the machines inside the firewall and the
firewall machine itself know about just one gateway and rely on icmp
redirects to select a better router.

When a machine inside the firewall sends out a packet, it sends it to
a router outside the firewall. Because proxy arp is in use, it
actually sends the packet to the firewall machine, which in turn sends
the packet to the router.

The router sends the packet on its way and sends an icmp redirect back
to the original host. The redirect is passed through the firewall with
no action being taken, and the orignal host updates its routing table.

When the machine inside the firewall sends a second packet, it does
sends it to the new router. Again, the packet is actually sent to the
firewall machine because of proxy arp, and the firewall machine then
sends the packet to the router. Unfortunately, because the firewall
machine has not processed the icmp redirect, it actually sends the
packet to the old router.

The result is that every packet going out of the network results in an
icmp redirect, which is ignored. What I would like is for icmp
redirects to be processed by the firewall machine rather than sent on
to the original host.

I believe that to do this, I need to put something like the following
in ip_forward():

if (iph->protocol == IPPROTO_ICMP
&& IN_DEV_PROXY_ARP(dev2->ip_ptr)) /* Proxy arp turned on for output dev */
{
struct icmphdr *icmph = (struct icmphdr *)((char*)iph + (iph->ihl << 2));
if (icmph->type==ICMP_REDIRECT)
return ip_local_deliver(skb);
}

Before I try this, could somebody tell me I'm doing the right thing,
or else call me an idiot and point out the obvious error I'm making.

Peter

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vladimir Dergachev: "Re: Internal Modems"
Previous message: Barrett G. Lyon: "Bug(?): Network Oddities on AXP in PRE5."