Date: Thu, 29 Dec 2005 21:01:50 -0800 From: Julian Elischer <julian@elischer.org> To: Andre Oppermann <andre@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: forwarding icmp redirects. Message-ID: <43B4BF3E.9070907@elischer.org> In-Reply-To: <43B47A31.2CABFD7D@freebsd.org> References: <43B45D8A.7040609@elischer.org> <43B47A31.2CABFD7D@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Andre Oppermann wrote: > Julian Elischer wrote: > >>I know WE don't generate non local icmp redirects but I notice that we >>would forward them should someone else (malicious or not) generate them.. >>I think that we possibly should check for them in our forwarding code.. >>(of course you can stop them with the firewall but..) >> >>thoughts? > > > The job of the forwarding code is to forward packets with little to > no exceptions. Dropping certain types of ICMP packets is out of scope > for the forwarding code. The proper place is a firewall. > > IMHO we should disable emitting and acting upon ICMP redirects by default. I know many places that rely on them heavily.. please don't do that.. Cisco PIX doesn't generate them.. it makes that machine a pain in the **** to use in some situations. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B4BF3E.9070907>