SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0003081: Endian Firewall sends icmp redirects - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003081Endian FirewallNetwork related (VPN, uplinks)public2010-07-22 14:142010-11-22 11:51
Reporter1und1 
Assigned Tochristian-endian 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.3.1 
Target VersionFixed in Version2.4 
Summary0003081: Endian Firewall sends icmp redirects
DescriptionThe following configuration causes the Endian to send icmp-redirects:
1. traffic enters the Endian Firewall from networ A
2. the Endians default gateway G is located in network A
3. the traffic is destined to network B behind gateway W

This is bad because
1. if icmp redirects are accepted, the Endian Firewall is bypassed for the affected traffic.
a) Meaning that the affected traffic is longer being inspected.
b) Meaning that in case the Endian is used for IP-masquerading (NAT), the affected traffic is no longer being NATed, interrupting connectivity.
2. icmp redirects are not always honored by the client meaning traffic patterns become somewhat unpredictable.
Additional InformationIn our network setup, an Endian Appliance is supposed to NAT and inspect traffic to external destinations for clients with private IP-addresses.

              World
                |
          +-----------+
          | Gateway W |
          +-----------+
                |
+--------+ | +-----------+
| Endian |------+-------| Gateway A |---------some clients
+--------+ n | +-----------+
              e | +-----------+
              t +-------| Gateway B |---------some other clients
              w | +-----------+
              o | +-----------+
              r +-------| Gateway C |---------way more clients
              k | +-----------+
                | +-----------+
              A +-------| Gateway D |---------here be dragons
                | +-----------+
               ...

We think this behaviour was introduced as an intended fix for bug 0001515. However we consider it to be just an ugly workaround as it doesn't really fix the problem in all cases, and instead the ill advised network setup in the referenced bug report should be changed.
TagsNo tags attached.
Attached Filespng file icon network.png [^] (19,854 bytes) 2010-07-22 14:24

- Relationships
related to 0001515closedpeter-endian zonefw: --state NEW check blocks communication to clients behind a router due to triangle connection 

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2010-07-22 14:14 1und1 New Issue
2010-07-22 14:24 1und1 File Added: network.png
2010-09-17 09:22 christian-endian Relationship added related to 0001515
2010-09-17 09:23 christian-endian Status new => confirmed
2010-09-20 14:30 christian-endian Status confirmed => resolved
2010-09-20 14:30 christian-endian Fixed in Version => 2.4
2010-09-20 14:30 christian-endian Resolution open => fixed
2010-09-20 14:30 christian-endian Assigned To => christian-endian
2010-11-22 11:51 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker