what gets bypassed with established TCP connections is the firewall rules, as an optimization for reducing CPU load on firewall
machines.
That's TCP connections, not routes. Routes must involve routers unless there is direct connection, (or faking of direct connection through VPN bridging or something like that)
Nope, you can always source route a packet. Unless a host along the path filters them. However, in the case there is nothing to stop a application from source routing directly to the firewall and bypassing the router. However, the application would have to specifically do this as it is not done automatically.
One other way that I forgot about is ICMP type 5 Redirects. This is the more automatic approach and is probably what Brian (Jack?) is referring to. The router basically sends the host a message saying there is a better route and to update your routing table. However, the host must accept these packets, some disable redirects for obvious security reasons.
RFC 792, page 13:
The gateway sends a redirect message to a host in the following situation. A gateway, G1, receives an internet datagram from a host on a network to which the gateway is attached. The gateway, G1, checks its routing table and obtains the address of the next gateway, G2, on the route to the datagram's internet destination network, X. If G2 and the host identified by the internet source address of the datagram are on the same network, a redirect message is sent to the host. The redirect message advises the host to send its traffic for network X directly to gateway G2 as this is a shorter path to the destination. The gateway forwards the original datagram's data to its internet destination.
For datagrams with the IP source route options and the gateway address in the destination address field, a redirect message is not sent even if there is a better route to the ultimate destination than the next address in the source route.
Codes 0, 1, 2, and 3 may be received from a gateway.
RFC 816, page 3:
The ICMP "redirect" message indicates that the gateway to which the host sent the datagram is no longer the best gateway to reach the net in question. The gateway will have forwarded the datagram, but the host should revise its routing table to have a different immediate address for this net.
RFC 1349, page 9:
The ICMP Redirect message also includes a code, which specifies the class of datagrams to which the Redirect applies. There are currently four codes defined: 0 -- redirect datagrams for the network. 1 -- redirect datagrams for the host. 2 -- redirect datagrams for the type of service and network. 3 -- redirect datagrams for the type of service and host.
-
Jeremy Fowler