From owner-freebsd-net@FreeBSD.ORG Fri Dec 30 00:07:18 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD6DC16A41F for ; Fri, 30 Dec 2005 00:07:18 +0000 (GMT) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB0E243D49 for ; Fri, 30 Dec 2005 00:07:10 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 76648 invoked from network); 30 Dec 2005 00:12:08 -0000 Received: from c00l3r.networx.ch (HELO freebsd.org) ([62.48.2.2]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 30 Dec 2005 00:12:08 -0000 Message-ID: <43B47A31.2CABFD7D@freebsd.org> Date: Fri, 30 Dec 2005 01:07:13 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Julian Elischer References: <43B45D8A.7040609@elischer.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: forwarding icmp redirects. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2005 00:07:18 -0000 Julian Elischer wrote: > > I know WE don't generate non local icmp redirects but I notice that we > would forward them should someone else (malicious or not) generate them.. > I think that we possibly should check for them in our forwarding code.. > (of course you can stop them with the firewall but..) > > thoughts? The job of the forwarding code is to forward packets with little to no exceptions. Dropping certain types of ICMP packets is out of scope for the forwarding code. The proper place is a firewall. IMHO we should disable emitting and acting upon ICMP redirects by default. -- Andre