icmp problem with a-symmetric routing

[Harald Welte]

On Fri, Jun 29, 2001 at 10:56:50PM +0200, Sneppe Filip wrote:
> Hi,
> 
> I don't know if the cause of the following problem is netfilter related, but
> it's definately a weird networking problem.

it is a problem of basic ip networking.

> A linux firewall/proxy is the gateway to the internet. It has eth0
> (10.0.10.2/16) as the internal interface. all hosts on the local network
> (10.0.0.0/16) have it as their default gateway.
> 
> There are also a number of remote networks that are reached via leased
> lines. The router to the leased lines has IP address 10.0.10.105 (it's a
> CISCO router). For the sake of brevity, I will only detail one remote
> network.
> 
> The remote network is at 10.1.11.0/24 with 10.1.11.1 and 10.1.11.10 being
> the default gateway and a host at the other end.
> 
> Essentially what I want is not to add any persistent routes on any of the
> hosts on the 10.0.0.0/16 network, but have them forward all packets for
> 10.1.11.0/24 to 10.0.10.2 (the linux firewall) via the default gateway
> mechanism, and then have the linux firewall route those packets to the
> destination network via 10.0.10.105.
> 
> So essentially, ethernet frames are going like this on my network:
> 
> 10.0.10.x -> 10.0.10.2 -> 10.0.10.105 -> leased line -> 10.1.11.1 ->
> 10.1.11.y

This is not how IP networks work. 10.0.10.2 will send an ICMP redirect.

> The W2K box 10.0.10.66 shows an additional entry in its routing table and
> uses 10.0.10.105 to route packets to 10.1.11.0 from now on.
> 
> I talked to someone with some CISCO/networking experience about this, and he
> informed me that this is expectable behavior from a router.

exactly.

> However, we also have a bunch of NT4 servers on our network, and they  seem
> to be choking on the ICMP redirects. Hence, I added the following at the end
> of the firewall script to make sure the linux firewall doesn't send any icmp
> redirects:
> 
> echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects 
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 
> echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

this is a broken configuration. The Linux box is supposed to send redirects,
as this is the required behaviour by the RFC's. Go and fix the NT boxes.

> In other words, the firewall is dropping icmp echo replies if it doesn't see
> an echo request firts ?!?

yes, it does if you have connection tracking loaded and do stateful 
firewalling..

stateful firewalling can only work if you see packets in both direction.


> receives from 10.0.10.66. Example: here the firewall is forwarding the
> SYN/ACK in response to a SYN from 10.1.11.10 to 10.0.10.66 (the firewall
> didn't see this SYN as it went from 10.0.10.105 straight to 10.0.10.66 via a
> switch):

this is because of the difference in icmp and tcp connection tracking.

A tcp connection (from a netfilter conntrack point of view) doesn't necessarily
have to be initialize by a SYN packet. This way, for example, tcp connections
can survive even after a firewall reboot, or a re-load of the connection
tracking modules. if we see a non-syn ack packet in one way, consider this
packet as NEW, it is accepted by the filtering rules, and we recieve 
ACK packets in the reply direction, the connection is ESTABLISHED.

This, however, cannot work with ICMP.  Each echo request creates a NEW
connection, and each reply ESTABLISHEs this connection and closes it at
the same time.

> TIA,
> Filip

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)