Date: Fri, 14 Jun 2024 06:52:41 -0700 (PDT) From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> To: Ed Maste <emaste@FreeBSD.org> Cc: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>, freebsd-net@FreeBSD.org Subject: Re: Discarding inbound ICMP REDIRECT by default Message-ID: <202406141352.45EDqfjx049399@gndrsh.dnsmgr.net> In-Reply-To: <CAPyFy2B2LQyqJ%2BzQzjdHfxj57=_Y-28ZzLPPr-bRES_c2x8=bA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > Discarding ICMP redirects on a internet host is non-conformant with > > > > STD-3 via rfc-1122. Processing of ICMP rediects is a MUST for hosts. > > > > > > In that case our default of "auto" is non-conformant if you have a > > > routing daemon. > > > > NO, because then your not subject to rfc-1122 as your now a router, > > not a host. > > I would argue that having IP forwarding enabled (i.e. > net.inet.ip.forwarding for IPv4) is what establishes FreeBSD as a > router, and ICMP REDIRECT messages are already dropped in kernel in > that case. Yet another mistake by FreeBSD. These ICMP dropping or not dropping are SITE SPECIFIC POLICIES, and should never be hard coded to wrong knobs. One can easily be using FreeBSD as a router inside an AS that has a need for ICMP REDIRECT to pass through that router unfiltered. But I would agree in general that the better detection mechanism for the "auto" keyword of /etc/rc.conf icmp_drop_redirects is probably the value of net.inet.ip.forwarding and net.inet6.ip6.forwarding, but iirc the is an ordering issue. Could use the *GATWEAY_ENABLE rc.conf variables though. -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406141352.45EDqfjx049399>