Re: Generating ICMP Redirects

2006-01-19 Thread Steven S
ing on my home fw and it seems that carp interfaces don't like generating ICMP redirects (for me anyhow.) Here is my test, My WS (XP) - 192.168.83.51 My FW (OBSD 3.8)- 192.168.83.1 My server (OBSD 3.8) - 192.168.83.47 My WS normally has a default gw of the FW. My rules to/from the inside

Re: Generating ICMP Redirects

2006-01-19 Thread Melameth, Daniel D.
Steven S wrote: > I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and > default gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come > into the LAN from a PIX (10.10.0.254/16) (changing soon to OpenVPN), > and when the VPN users hit a server return packets are sent to the > d

Re: Generating ICMP Redirects

2006-01-19 Thread Steven S
Stuart Henderson wrote: ... >> [EMAIL PROTECTED] pfctl -s rules |grep 10.4 >> pass in quick on fxp2 inet from 10.10.0.0/16 to 10.4.0.0/16 >> pass out quick on fxp2 inet from 10.4.0.0/16 to 10.10.0.0/16 > > I suspect you will need to allow the packets through in order to get > the redirects sent. A

Re: Generating ICMP Redirects

2006-01-19 Thread Stuart Henderson
On 2006/01/19 11:37, ober wrote: > Isn't "Destination unreachable" icmp a reply to a closed udp port? Not if it's coming from the firewall rather than the endpoint - but 'block return' to a udp port does give 'destination unreachable' icmp.

Re: Generating ICMP Redirects

2006-01-19 Thread ober
EMAIL PROTECTED]> To: misc@openbsd.org Subject: Re: Generating ICMP Redirects [EMAIL PROTECTED] wrote: On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote: ... What about sysctl net.inet.ip.forwarding? Is it set to 1? wq Claudio Yep. The firewalls are working perfectly aside from this

Re: Generating ICMP Redirects

2006-01-19 Thread Steven S
[EMAIL PROTECTED] wrote: > On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote: ... > > What about sysctl net.inet.ip.forwarding? Is it set to 1? > >> wq Claudio Yep. The firewalls are working perfectly aside from this redirect issue. They are even performing ISP load balancing (when the s

Re: Generating ICMP Redirects

2006-01-19 Thread Stuart Henderson
On 2006/01/19 10:32, Steven S wrote: > I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default > gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come into the LAN > from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN > users hit a server return packet

Re: Generating ICMP Redirects

2006-01-19 Thread Claudio Jeker
On Thu, Jan 19, 2006 at 10:32:40AM -0500, Steven S wrote: > Greetings, > > I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default > gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come into the LAN > from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the V

Generating ICMP Redirects

2006-01-19 Thread Steven S
Greetings, I'm using a pair of 3.8-stable (1/5/06) servers as the firewall and default gw (10.10.0.1/16) for a LAN . VPN users (10.4.0.0/16) come into the LAN from a PIX (10.10.0.254/16) (changing soon to OpenVPN), and when the VPN users hit a server return packets are sent to the default gw. I