Date: Thu, 13 Jun 2024 06:39:13 -0700 (PDT) From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> To: Ed Maste <emaste@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: Discarding inbound ICMP REDIRECT by default Message-ID: <202406131339.45DDdDma044779@gndrsh.dnsmgr.net> In-Reply-To: <CAPyFy2CKZFf6QF1j-kWPG%2B3yetjNSszdCnJF=T6-hPmozheYYw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I propose that we start dropping inbound ICMP REDIRECTs by default, by > setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and > changing the associated rc.conf machinery). I've opened a Phabricator > review at https://reviews.freebsd.org/D45102. > > ICMP REDIRECTs served a useful purpose in earlier networks, but on > balance are more likely to represent a security issue today than to > provide a routing benefit. With the change in review it is of course > still possible to enable them if desired for a given installation. > This change would appear in FreeBSD 15.0 and would not be MFC'd. > > One question raised in the review is about switching the default to > YES but keeping the special handling for "auto" (dropping ICMP > REDIRECT if a routing daemon is in use, honouring them if not). I > don't think this is particularly valuable given that auto was > introduced to override the default NO when necessary; there's no need > for it with the default being YES. That functionality could be > maintained if there is a compelling use case, though. > > If you have any questions or feedback please follow up here or in the review. Discarding ICMP redirects on a internet host is non-conformant with STD-3 via rfc-1122. Processing of ICMP rediects is a MUST for hosts. -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406131339.45DDdDma044779>