routing problem - fork on gateways

Jeremy Fowler JFowler at westrope.com
Wed Sep 7 11:37:33 CDT 2005 

> > what gets bypassed with established TCP connections is the firewall 
> > rules, as an optimization for reducing CPU load on firewall 
> machines.  
> > That's TCP connections, not routes.
> > Routes must involve routers unless there is direct connection, (or 
> > faking of direct  connection through VPN bridging or something like 
> > that)
> 
> Nope, you can always source route a packet.  Unless a host 
> along the path filters them. However, in the case there is 
> nothing to stop a application from source routing directly to 
> the firewall and bypassing the router. However, the 
> application would have to specifically do this as it is not 
> done automatically.

One other way that I forgot about is ICMP type 5 Redirects. This is the
more automatic approach and is probably what Brian (Jack?) is referring
to. The router basically sends the host a message saying there is a
better route and to update your routing table. However, the host must
accept these packets, some disable redirects for obvious security
reasons. 

RFC 792, page 13:

    The gateway sends a redirect message to a host in the following
situation. A gateway, G1, receives an internet datagram from a host on a
network to which the gateway is attached. The gateway, G1, checks its
routing table and obtains the address of the next gateway, G2, on the
route to the datagram's internet destination network, X. If G2 and the
host identified by the internet source address of the datagram are on
the same network, a redirect message is sent to the host. The redirect
message advises the host to send its traffic for network X directly to
gateway G2 as this is a shorter path to the destination. The gateway
forwards the original datagram's data to its internet destination.

    For datagrams with the IP source route options and the gateway
address in the destination address field, a redirect message is not sent
even if there is a better route to the ultimate destination than the
next address in the source route.

    Codes 0, 1, 2, and 3 may be received from a gateway.

RFC 816, page 3:

    The ICMP "redirect" message indicates that the gateway to which the
host sent the datagram is no longer the best gateway to reach the net in
question. The gateway will have forwarded the datagram, but the host
should revise its routing table to have a different immediate address
for this net.

RFC 1349, page 9:

    The ICMP Redirect message also includes a code, which specifies the
class of datagrams to which the Redirect applies. There are currently
four codes defined: 0 -- redirect datagrams for the network. 1 --
redirect datagrams for the host. 2 -- redirect datagrams for the type of
service and network. 3 -- redirect datagrams for the type of service and
host.

More information about the Kclug mailing list