Date: Fri, 14 Jun 2024 06:57:06 -0700 (PDT) From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> To: Ed Maste <emaste@FreeBSD.org> Cc: Chris <bsd-lists@bsdforge.com>, "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>, freebsd-net@FreeBSD.org Subject: Re: Discarding inbound ICMP REDIRECT by default Message-ID: <202406141357.45EDv686049428@gndrsh.dnsmgr.net> In-Reply-To: <CAPyFy2DmbfYOYvWKm7%2Bfq5RMgM8que6OW7LKJHKoMH=L%2B9-wwg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, 12 Jun 2024 at 18:05, Chris <bsd-lists@bsdforge.com> wrote: > > > > As Rodeney already effectively explains; dropping packets makes routing, > > and discovery exceedingly difficult. Which is NOT what the average user > > wants, > > This is on end hosts only, not routers (which already drop ICMP REDIRECT). Probably a mistake, see other email. > > or expects. I use "set block-policy drop" in pf(4). But as already noted, > > this is for "filtering" purposes. Your suggestion also has the negative > > affect > > of hanging remote ports. Which can result in other negative results by peers. > > I don't follow -- how does a host not processing ICMP REDIRECT cause > these effects? I am not sure that it would "hang" the port, but by ignoring the rediect your going to place additional burden on the router that is trying to redirect you as all packets would have to be forwarded by that router. I suppose it could hang you if infact the router sent the redirect but did not forward the packet for you expecting that a retransmission with your updated routing table due to the redirect would get the flow going. -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406141357.45EDv686049428>