Hi
> > One question about IPF: If I have a tcp keep state rule, I
> understood that
> > any valid ICMP traffic about the TCP connexion would be allowed without
> > rule checking.
> >
> > Does that means that someone able to snoop the TCP connexion
> would be able
> > to forge an ICMP redirect packet, and that there is now way to
> stop this?
> [...]
>
> Correct.  This is nearly never useful because the "next hop" that is the
> redirected gateway must be on the local LAN.
may be a problem if someone places a "bad" router in the LAN that sends
packets elsewhere...

Hmmmm... but it shouldn't be to complicated in IPF to check for the ICMP
types even in established connections.
In my opinion "good ICMPs" (tm ;-) that should be allowed if a TCP conn is
established are
the dst-unreachable's, source-quench and ttl-exceeded (hope I forgot
none...)
I can think of no reason where a conn is established to a server and it
sends a redirect to the source (this should normally only happen in a local
LAN), or any other ICMP.

This behaviour could be hard coded.

Regards
Stefan Hulbrock,
Biodata IT AG