NAT and ICMP
michael.gale at utilitran.com
Fri Feb 18 22:10:40 CET 2005
Sorry ... I was thinking of the system with out NATing ... obviously I
need a day off.
Michael Gale wrote:
> This makes sense from a routing perspective, if your RH box was a
> router on the web or routing to public networks then it would be
> functioning normally.
> How ever is a firewall setup this is a undesirable response ... I would
> suggest blocking ICMP traffic on the external interface. Some people
> like to allow some specific ICMP traffic like Destination Unreachable or
> PATH MTU ... some people simple block all ICMP traffic.
> I do not think this is a netfilter problem just a simple configuration
> issue depending on your setup.
> Don Cohen wrote:
>> Here's some behavior that seems clearly wrong, though I'm not
>> sure what is right. This is from a redhat 8 box, 2.4.18-14,
>> so it's possible that this could be either specific to redhat
>> or fixed (or at least altered) in later kernels.
>> This box is connected to a LAN, and doing NAT for that LAN:
>> inside 10.0.0.2 --- 10.0.0.1 redhat8 24... --- internet --- server
>> The inside machine connects to the server in the internet.
>> In my test case it's doing ssh, running a program that prints
>> the time every minute.
>> I now disconnect the inside machine.
>> The server sends the next time update (to 24..., the address of
>> the redhat NAT machine, to be forwarded to the inside machine).
>> The redhat machine can no longer reach the inside machine and
>> replies with ICMP host unreachable - returning the packet that
>> it could not deliver, which is addressed to 10.0.0.2 !
>> This is clearly wrong, since the server has no idea who 10.0.0.2
>> is. On the other hand, it also makes no sense to claim that
>> 24... is an unreachable host - that's the one that is actually
>> answering. The best I can think of is that it ought to say that
>> the port is unreachable for the packet it received (pre-NAT, so
>> its own address and the port as seen at the server).
Hey, let me file that under important .... > /dev/null
"Hey did you read my e-mail"
"Let my check"
^From:.* > /dev/null
"Nope, I missed it, send it again"
More information about the netfilter-devel