Re: IPFW2 versrcreach update

• Previous message: James: "Re: IPFW2 versrcreach update"
• In reply to: James: "Re: IPFW2 versrcreach update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 21 Jul 2004 14:17:45 -0400
To: Petri Helenius <pete@he.iki.fi>

On Wed, Jul 21, 2004 at 02:14:10PM -0400, James wrote:
> > >
> > Where would the ICMP go anyway because you either don?t have a route to
> > where you would point the packet to or the route points to null.
>

Hmm.. Soemthing tells me that whatever I said below is exactly same to whatever
you said.. :) doh

Sorry for useless reply :)

-J

> Under uRPF drop condition, ICMP should not happen b/c the source of the route
> is null route.
>
> Under normal, non-uRPF drop condition, ICMP unreachable will go to the *source*
> who is _not_ part of the null route.
>
> For example: If you are host 10.10.10.2 behind a router 10.10.10.1, and you
> run traceroute to 3.3.3.3 and if your router does not have a route for 3.3.3.3
> (not even default route), the router will generate !N/!H icmp message back to
> the source, that being 10.10.10.2, and that being you.
>
> If you are host 10.10.10.2, and you spoof your IP address to 1.1.1.1, and the
> router runs loose-check uRPF and has 1.1.1.1 as RTF_REJECT, the router will
> obviously cannot generate ICMP back at you, b/c you are claiming to be
> 1.1.1.1 which is routed to null.
>
> -J
>
> --
> James Jun TowardEX Technologies, Inc.
> Technical Lead Network Design, Consulting, IT Outsourcing
> james@towardex.com Boston-based Colocation & Bandwidth Services
> cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net

-- 
James Jun                                            TowardEX Technologies, Inc.
Technical Lead                        Network Design, Consulting, IT Outsourcing
james@towardex.com                  Boston-based Colocation & Bandwidth Services
cell: 1(978)-394-2867           web: http://www.towardex.com , noc: www.twdx.net
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: James: "Re: IPFW2 versrcreach update"
• In reply to: James: "Re: IPFW2 versrcreach update"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: IP FORWARDING IPTABLES ... I choose to configure my firewall to route packets in a different ... want to specify the IP of the gateway, ... the command might be more accurate ... but has a "-I" option to use ICMP echos. ... (comp.security.firewalls) SUMMARY:what causes modified redirects? ... Irene sent me some past post reguarding blocking ICMP redirects, which is what I ended up doing, and all is fine. ... One outstanding issue is knowing the ttl of a route entry. ... (Tru64-UNIX-Managers) Re: IP FORWARDING IPTABLES ... I choose to configure my firewall to route packets in a different ... except that the '/sbin/route' command has nothing to do with the ... but has a "-I" option to use ICMP echos. ... (comp.security.firewalls) Re: IPFW2 versrcreach update ... Cisco won't emit ICMP when uRPF is killing a packet. ... Where would the ICMP go anyway because you either donīt have a route to ... (freebsd-net) Re: IPFW2 versrcreach update ... > where you would point the packet to or the route points to null. ... ICMP should not happen b/c the source of the route ... run traceroute to 3.3.3.3 and if your router does not have a route for 3.3.3.3 ... If you are host 10.10.10.2, and you spoof your IP address to 1.1.1.1, and the ... (freebsd-net)