Date: Fri, 30 Dec 2005 01:07:13 +0100 From: Andre Oppermann <andre@freebsd.org> To: Julian Elischer <julian@elischer.org> Cc: freebsd-net@freebsd.org Subject: Re: forwarding icmp redirects. Message-ID: <43B47A31.2CABFD7D@freebsd.org> References: <43B45D8A.7040609@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer wrote: > > I know WE don't generate non local icmp redirects but I notice that we > would forward them should someone else (malicious or not) generate them.. > I think that we possibly should check for them in our forwarding code.. > (of course you can stop them with the firewall but..) > > thoughts? The job of the forwarding code is to forward packets with little to no exceptions. Dropping certain types of ICMP packets is out of scope for the forwarding code. The proper place is a firewall. IMHO we should disable emitting and acting upon ICMP redirects by default. -- Andre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43B47A31.2CABFD7D>