Disable send ICMP redirect?

Hy all,

I have a problem with a new firewall, installed with Fedora Core 5
and updated with all last packages available from update. It acts as a
firewall connecting the local net to different remote networks (uses
for that a separate network interface and connects through 4 different
cisco routers) and should forward all Internet traffic to a router
connected to internet (which is on the same local network - both router
and firewall use 192.168.10.0/24 class addresses, the hosts have
addresses from the same class). It forwards correctly traffic to the
remote networks, but for the Internet traffic it answers by sending an
ICMP redirect, which is conform to the standard. The problemm is that
Pc hosts (Windows 2000, Windows XP and Windows 2003 with different SP)
simply discard the ICMP redirect so they can't access internet. Beside
that case the firewall can't continue the firewall work, since hosts
would connect directly to internet through the router.
Is it possible to disable the sending of ICMP redirect and linux
forward the packets to the correct router (even if the host and the
router are on the same network)? I know this will efectivelly increase
the traffic but it will allow the firewall to correctlly check the
packets. Are there any values I can put in some /proc files to get this
comportment? I managed to place a 0 in send_redirects and the linux did
not send any more ICMP redirects, but it did not forward packages that
came on a interface and should exit the same interface either (it
correctly forwards packages coming on one interface and exiting a
different interface).

Thanks a lot,
Florin Bota.

On 28 Jun 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, (E-Mail Removed)
wrote:

>It acts as a firewall connecting the local net to different remote
>networks (uses for that a separate network interface and connects through
>4 different cisco routers) and should forward all Internet traffic to a
>router connected to internet (which is on the same local network - both
>router and firewall use 192.168.10.0/24 class addresses, the hosts have
>addresses from the same class).

Your description is not that clear. Does the router configuration look
like this (use a fixed font in your browser)

---------------------
hosts ------|eth0 Linux box eth1|-----router to world
192.168.10.x | | 192.168.10.y
| eth2|--- some other router
| | 10.10.10.x
| eth3|--- yet another router
--------------------- 172.16.16.x

or are the hosts and router to the world connected to the _same_ network
card like this

---------------------
hosts ------|eth0 Linux box eth1|----- some other router
| | | 10.10.10.x
router --- | eth2|--- yet another router
--------------------- 172.16.16.x

>It forwards correctly traffic to the remote networks, but for the
>Internet traffic it answers by sending an ICMP redirect, which is conform
>to the standard.

This should happen in the second diagram - traffic comes in on eth0, and
is being sent onwards through the same eth0. This is a terrible design
for a network firewall. I think we need to see the routing table.

There could also be confusing in the top diagram (where only the router
is on eth1, and the hosts are on eth0) if you have identical network routes
on eth0 and eth1. If the same address range is used on both interfaces, the
router interface need to be a 'host' route rather than a network route.

>Is it possible to disable the sending of ICMP redirect and linux
>forward the packets to the correct router (even if the host and the
>router are on the same network)? I know this will efectivelly increase
>the traffic but it will allow the firewall to correctlly check the
>packets.

This really sounds like the hosts and router are on the same wire, which
makes the firewall nearly useless. The firewall must stand between the
two, and this can only be done by having the router on a different NIC
than the hosts.

Old guy

Moe Trin ha scritto:

> Your description is not that clear. Does the router configuration look
> like this (use a fixed font in your browser)
Here is a diagram:

hosts AND WAN router ------ | eth0 Linux box eth1| ------ other routers
to remote networks
192.168.10.x 192.168.10.1 192.168.254.1
192.168.254.X

The problem presented in the traffic from the hosts to the internet,
since all hosts have as gateway the linux box. The number of hosts is
quite large and inserting different routes for the remote networks is
not an option (some devices not accept that - printers mostly, remote
networks have to print correctly on the printer locally).
By using as gateway the Linux box we firewall ONLY traffic meant for
the remote networks, while traffic for internet pass through the WAN
router which has his own firewall. The problem was to disable the ICMP
redirect. We managed to get it done by issuing a value of 1 in the
files send_redirect in the /proc/sys/net/ directory.
After disabling that redirect I discovered that traffic was still
not passing as expected through the linux box, which is acting now as a
transparent proxy. I identified the problem to be in the iptables
rules, which were using ip_conntrack connection status in order to
allow ESTABLISHED and RELATED connections traffic to pass through.
Seems in the last versions they corrected a bug related to the
ESTABLISHED connection, so that now connections half-open are no longer
considered open so that traffic did not pass anymore. This is due to
the fact that when hosts access internet send SYN packet through the
linux firewall, so ip_conntrack places the connection in the
SYN_NOT_ANSWERED state. The server from the internet answers by sending
the SYNACK packet, which is NOT passing through the Linux firewall (the
WAN router knows the route to the local network, so just sends the
packet directly to the destination). The host send ACK package which is
blocked by the firewall since the server did not "send" yet an SYNACK
packet (it never saw the packet, since it got directlly to the host).
The temporary solution we adopted was to disable the use of connection
status in the rules, and in the close future I'll do a redesign of the
network, moving the WAN router in the netwrok connected to the eth1,
forcing this way ALL packets to pass through the linux box.

Thanks for your help.
Florin.

On 3 Jul 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, (E-Mail Removed)
wrote:

>hosts AND WAN router ------ | eth0 Linux box eth1| ------ other routers
to remote networks
>192.168.10.x 192.168.10.1 192.168.254.1
192.168.254.X

Ah, OK that is a problem.

> The problem presented in the traffic from the hosts to the internet,
>since all hosts have as gateway the linux box. The number of hosts is
>quite large and inserting different routes for the remote networks is
>not an option (some devices not accept that - printers mostly, remote
>networks have to print correctly on the printer locally).

I see what you are doing - it's just that few people use this setup as
this doubles the traffic on the local network, and offers an easy way
to bypass the firewall. Also, because of abuse, a lot of systems (both
Operating Systems, and individual system configurations) will ignore
redirects (ICMP Type 5) completely to avoid denial of service attacks.
Do your printers really need to be accessible from the world?

>By using as gateway the Linux box we firewall ONLY traffic meant for
>the remote networks, while traffic for internet pass through the WAN
>router which has his own firewall.

Are you saying that the Linux box is not meant to firewall the Internet
traffic, but is to firewall the other non-Internet remote networks? The
normal solution is to provide correct routes in the setup and not depend
on redirects.

>I identified the problem to be in the iptables rules, which were using
>ip_conntrack connection status in order to allow ESTABLISHED and RELATED
>connections traffic to pass through.

Understood. This is possibly because the network layout is not common,
and this condition was not tested.

>The temporary solution we adopted was to disable the use of connection
>status in the rules, and in the close future I'll do a redesign of the
>network, moving the WAN router in the netwrok connected to the eth1,
>forcing this way ALL packets to pass through the linux box.

Another solution would be to add another NIC to the Linux box, and
connect it to the WAN router alone.

Old guy