Re: IPFW2 versrcreach update

• Previous message: Petri Helenius: "Re: IPFW2 versrcreach update"
• In reply to: Petri Helenius: "Re: IPFW2 versrcreach update"
• Next in thread: James: "Re: IPFW2 versrcreach update"
• Reply: James: "Re: IPFW2 versrcreach update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 21 Jul 2004 14:14:10 -0400
To: Petri Helenius <pete@he.iki.fi>

> >
> Where would the ICMP go anyway because you either don?t have a route to
> where you would point the packet to or the route points to null.

Under uRPF drop condition, ICMP should not happen b/c the source of the route
is null route.

Under normal, non-uRPF drop condition, ICMP unreachable will go to the *source*
who is _not_ part of the null route.

For example: If you are host 10.10.10.2 behind a router 10.10.10.1, and you
run traceroute to 3.3.3.3 and if your router does not have a route for 3.3.3.3
(not even default route), the router will generate !N/!H icmp message back to
the source, that being 10.10.10.2, and that being you.

If you are host 10.10.10.2, and you spoof your IP address to 1.1.1.1, and the
router runs loose-check uRPF and has 1.1.1.1 as RTF_REJECT, the router will
obviously cannot generate ICMP back at you, b/c you are claiming to be
1.1.1.1 which is routed to null.

-J

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Petri Helenius: "Re: IPFW2 versrcreach update"
• In reply to: Petri Helenius: "Re: IPFW2 versrcreach update"
• Next in thread: James: "Re: IPFW2 versrcreach update"
• Reply: James: "Re: IPFW2 versrcreach update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages CISCO 2600 - routing problem ... I have Internet access from both the router and the host with static ... but with static route over cable modem: ... I can ping Internet only from router not from ... (comp.dcom.sys.cisco) CISCO 2600 - routing problem ... I have Internet access from both the router and the host with static ... but with static route over cable modem: ... I can ping Internet only from router not from ... (comp.dcom.sys.cisco) Re: why are alias names a bad idea? ... Converting the host name to IP ... >>address of the router requires sending a packet to the DNS server, ... I was talking of the SET ROUTE command. ... IP address of the router. ... (comp.os.vms) Re: no route to host but ping ok ... I suppose there is a configuration problem on there firewall but I ... If I try ssh or telnet on port 22, I have: No route to host. ... This usually means that the router which sent the ICMP message knows how to route the packet but the ARP resolution for the next hop address failed. ... (comp.os.linux.networking) Re: Add route batch file ... indivudual host instead of a router) indicates a possible design issue. ... Routing should be done only at the LAN's router,...individual hosts should ... > My office needs a persistant route added to the routing table on all the> workstations. ... (microsoft.public.win2000.networking)