[leaf-user] Weird ICMP behaviour

Erich Titl Thu, 21 Aug 2008 06:25:38 -0700

Hi folks

I am putting this up in the hope someone has a deeper insight into the
Linux IP stack than I


I am running a pair of Bering boxes with a DMZ in between them, I call
them greatwall and innerwall.

In the DMZ there is a Linux based sendmail MTA.

I have ICMP redirect sendm and accept enabled on all the interfaces of
the firewalls looking at the DMZ, e.g. on innerwall and on greatwall.

If I set the default route of the MTA to the DMZ interface on greatwall
(the external firewall) everything works fine.

If I set the default route of the MTA to the DMZ interface on innerwall
there are two scenarios.

1) If I ping an external host, e.g. one reacheable through greatwall I see

 ICMP echo request goes to the innerwall DMZ interface
 ICMP redirect host is sent from innerwall to the mta with aq nexthop on
the DMZ interface of greatwall

NOw everything works as expected.

2) If I attempt to do the same with a TCP connection on port 25 I do not
see the ICMP redirect, which I would expect. Neither is the route in
cahce honoured.

Here is some test output, unsanitized, you would find it anyway ;-)

mta2:/proc/sys/net/ipv4/conf/eth1 # ping luna.think.ch
PING luna.think.ch (84.73.177.229) 56(84) bytes of data.
64 bytes from 84-73-177-229.dclient.hispeed.ch (84.73.177.229):
icmp_seq=1 ttl=53 time=28.5 ms
>From innerwall.asp.ruf.ch (195.65.112.98): icmp_seq=2 Redirect Host(New
nexthop: greatwall-internal.asp.ruf.ch (195.65.112.97))
64 bytes from 84-73-177-229.dclient.hispeed.ch (84.73.177.229):
icmp_seq=2 ttl=53 time=37.7 ms
64 bytes from 84-73-177-229.dclient.hispeed.ch (84.73.177.229):
icmp_seq=3 ttl=53 time=10.4 ms

--- luna.think.ch ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 10.469/25.568/37.723/11.321 ms

mta2:/proc/sys/net/ipv4/conf/eth1 # netstat -Crn | grep 84.73.177.229
195.65.112.112  84.73.177.229   195.65.112.97          1500 0          0
eth0
84.73.177.229   195.65.112.112  195.65.112.112  l         0 0          0 lo
195.65.112.112  84.73.177.229   195.65.112.97          1500 0          0
eth0

mta2:/proc/sys/net/ipv4/conf/eth1 # telnet luna.think.ch 25
Trying 84.73.177.229...

mta2:/proc/sys/net/ipv4/conf/eth1 # netstat -Crn | grep 84.73.177.229
195.65.112.112  84.73.177.229   195.65.112.98          1500 0          0
eth0
195.65.112.112  84.73.177.229   195.65.112.97          1500 0          0
eth0
84.73.177.229   195.65.112.112  195.65.112.112  l         0 0          0 lo
195.65.112.112  84.73.177.229   195.65.112.98          1500 0          0
eth0
195.65.112.112  84.73.177.229   195.65.112.97          1500 0          0
eth0

Now the above looks weird.

I have a Windoze host in the same DMZ which shows a reasonable behaviour
with the same routing settings

Ideas anyone ?

Erich

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Weird ICMP behaviour

Reply via email to