1 |
There might have been a icmp redirect from 10.96.25.1 telling ipfire that |
2 |
there's a better way to get to that network, and its via 10.96.25.2. |
3 |
|
4 |
On my system it seems to be off by default (I havent set it in |
5 |
/etc/sysctl.conf) which makes sense as redirects can be used for MITM |
6 |
attacks. |
7 |
$ cat /proc/sys/net/ipv4/conf/all/accept_redirects |
8 |
0 |
9 |
|
10 |
|
11 |
|
12 |
On Wed, Oct 9, 2013 at 9:50 PM, Stefan G. Weichinger <lists@×××××.at> wrote: |
13 |
|
14 |
> |
15 |
> server: |
16 |
> |
17 |
> # ip route s |
18 |
> default via 10.96.25.129 dev br0 |
19 |
> 10.96.25.128/25 dev br0 proto kernel scope link src 10.96.25.131 |
20 |
> 192.168.1.0/24 dev eno2 proto kernel scope link src 192.168.1.201 |
21 |
> |
22 |
> # !tra |
23 |
> traceroute 172.32.99.12 |
24 |
> traceroute to 172.32.99.12 (172.32.99.12), 30 hops max, 60 byte packets |
25 |
> 1 ipfire (10.96.25.129) 0.410 ms 1.213 ms 1.302 ms |
26 |
> 2 10.96.25.2 (10.96.25.2) 3.853 ms 3.835 ms 3.825 ms |
27 |
> |
28 |
> ^C |
29 |
> |
30 |
> on the router "ipfire" (which is 10.96.25.129 on its LAN-side) |
31 |
> |
32 |
> # ip r s |
33 |
> default via 10.96.25.1 dev blue0 |
34 |
> |
35 |
> no specific routes on there |
36 |
> |
37 |
> The route should go via 10.96.25.1 for targets in 172.32.99.0/24 as |
38 |
> well ... |
39 |
> |
40 |
> I don't get where it gets 10.96.25.2 from *scratch* |
41 |
> |
42 |
> This routing issue might be the problem with my libvirt-connections (see |
43 |
> other current thread). |
44 |
> |
45 |
> Even when I do |
46 |
> |
47 |
> # ip route add 172.32.99.12/32 via 10.96.25.1 |
48 |
> |
49 |
> on the router (explicit route for my desktop IP) the traceroute still |
50 |
> shows: |
51 |
> |
52 |
> # traceroute 172.32.99.12 |
53 |
> traceroute to 172.32.99.12 (172.32.99.12), 30 hops max, 60 byte packets |
54 |
> 1 ipfire.mlp-ag.com (10.96.25.129) 0.294 ms 0.270 ms 0.258 ms |
55 |
> 2 10.96.25.2 (10.96.25.2) 0.569 ms 0.746 ms 0.987 ms^C |
56 |
> |
57 |
> Any hints on this? |
58 |
> I need a vacation, btw ;-) |
59 |
> |
60 |
> And the best: I do this via ssh, so I am already connected ... which |
61 |
> means I get packages back ... |
62 |
> |
63 |
> S |
64 |
> |
65 |
> |