Subject: Re: IPF question
To: Emmanuel Dreyfus <>
From: Darren Reed <>
List: tech-security
Date: 07/19/2001 19:02:46
In some email I received from Emmanuel Dreyfus, sie wrote:
[Charset iso-8859-1 unsupported, filtering to ASCII...]
> Hi!
> One question about IPF: If I have a tcp keep state rule, I understood that
> any valid ICMP traffic about the TCP connexion would be allowed without
> rule checking. 
> Does that means that someone able to snoop the TCP connexion would be able
> to forge an ICMP redirect packet, and that there is now way to stop this?

Correct.  This is nearly never useful because the "next hop" that is the
redirected gateway must be on the local LAN.