Just before my holidays (now 4 weeks ago, iiek), I discussed in this thread (cache) on the openbsd-misc mailinglist with someone who assumed OpenBSD had some kind of trouble with his client systems.
He was running a gateway, with pf enabled, that used ICMP redirects to point internal clients to a VPN router on his LAN. After the discussion went off-list, he explained his problems in more detail, and I came up with the following explanation:
Oops.
He was running a gateway, with pf enabled, that used ICMP redirects to point internal clients to a VPN router on his LAN. After the discussion went off-list, he explained his problems in more detail, and I came up with the following explanation:
- you do filtering on the internal interface - the OpenBSD box gets the tcp syn, forwards the packet and sends the redirect - route is added on the client, tcp session is established, bypassing the OpenBSD gateway - after 10 minutes (or so) the route generated from the icmp redirect times out, and packets are sent to the default gateway again - the OpenBSD box recieves packets from a tcp session it has no state for, and throws them away - your tcp session dies So, if you're using icmp redirects, you can't do stateful filtering on the internal interface.
Oops.