From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan B db@cyclonehq.dnsalias.net
Date: Thu, 15 Feb 2001 04:44:30 +0000
Subject: Preventing ICMP Redirects?   (was: Re: [LARTC] HTTP only
Message-Id: <marc-lartc-98373940417020@msgid-missing>
List-Id: <lartc.vger.kernel.org>
References: <marc-lartc-98373940417007@msgid-missing>
In-Reply-To: <marc-lartc-98373940417007@msgid-missing>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

<PRE>At 02:36 AM 2/11/2001 -0200, Rogerio Brito wrote:
&gt;<i>On Feb 10 2001, bert hubert wrote:
</I>&gt;<i> &gt; You can, I think, but you need to be very sure that your NAT machine
</I>&gt;<i> &gt; isn't sending out any ICMP Redirects.
</I>&gt;<i>
</I>&gt;<i>         I've been bitten by these ICMP Redirects once. Is there any
</I>&gt;<i>         way to prevent them from being sent out? Perhaps doing some
</I>&gt;<i>         packet filtering of the ICMP Redirects? Even if this works,
</I>&gt;<i>         this sure sounds like a dirty solution... :-(
</I>&gt;<i>
</I>&gt;<i>         In that occasion, I was trying to set up a masquerading box
</I>&gt;<i>         with only one NIC and two IP addresses (the Internet-valid one
</I>&gt;<i>         and the private one), hooking everything in a single hub and
</I>&gt;<i>         routing accordingly.
</I>&gt;<i>
</I>&gt;<i>         I don't remember the details (since this was many months ago),
</I>&gt;<i>         but the only solution that I could make work was to buy
</I>&gt;<i>         another NIC for the masquerading box and put one IP in each
</I>&gt;<i>         NIC, doing everything as usual. :-(
</I>&gt;<i>
</I>&gt;<i>         As I don't remember more details of the situation, I'm just
</I>&gt;<i>         hoping that this description rings a bell for someone. Any
</I>&gt;<i>         explanation of how to make this setup with just one NIC or
</I>&gt;<i>         comments on why this shouldn't be done are immensely
</I>&gt;<i>         appreciated.
</I>
Even when you correctly aliased your single NIC to act like two interfaces?

eth0:0  routable ip / external (seperate) subnet
eth1:1 local ip / local subnet

I've done what you described using aliasing a couple of times and I never 
got bit by ICMP redirects (like I did this last time).

Now I kind of wish I would have fixed the ICMP redirect problem instead of 
just changing subnets.  :-)

Dan Browning, Cyclone Computer Systems, <A HREF="mailto:danb@cyclonecomputers.com">danb@cyclonecomputers.com</A>



</PRE>