Date: Thu, 13 Jun 2024 12:16:39 -0700 From: Chris <bsd-lists@bsdforge.com> To: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> Cc: Ed Maste <emaste@freebsd.org>, freebsd-net@freebsd.org Subject: Re: Discarding inbound ICMP REDIRECT by default Message-ID: <c378be3fcea6439d16c5a605185590ca@bsdforge.com> In-Reply-To: <202406131334.45DDYLg5044761@gndrsh.dnsmgr.net> References: <202406131334.45DDYLg5044761@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2024-06-13 06:34, Rodney W. Grimes wrote: >> On 2024-06-12 15:05, Chris wrote: >> > On 2024-06-12 14:47, Rodney W. Grimes wrote: >> >>> I propose that we start dropping inbound ICMP REDIRECTs by default, by >> >>> setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and >> >>> changing the associated rc.conf machinery). I've opened a Phabricator >> >>> review at https://reviews.freebsd.org/D45102. >> >> >> >> I propse that we NOT do this. If you need this to protect your end >> >> node your probably doing something really unsafe network wise. The >> >> place that ICMP REDIRECTS should be dropped, and is most places, is >> >> at access routers and firewalls. >> >> >> >> Any one that needs this change to protect there network has larger >> >> issues than an ICMP REDIECT causing some issues. >> >> >> >> ICMP redirectr are very usefull for not having to run routing >> >> protocols on all your end nodes and allowing your edge/access >> >> routers tell your internal hosts via redirects how to get to >> >> places more efficiently. >> >> >> >>> >> >>> ICMP REDIRECTs served a useful purpose in earlier networks, but on >> >> They still serve this very usefull purpose. >> >> >> >>> balance are more likely to represent a security issue today than to >> >>> provide a routing benefit. With the change in review it is of course >> >>> still possible to enable them if desired for a given installation. >> >>> This change would appear in FreeBSD 15.0 and would not be MFC'd. >> >>> >> >>> One question raised in the review is about switching the default to >> >>> YES but keeping the special handling for "auto" (dropping ICMP >> >>> REDIRECT if a routing daemon is in use, honouring them if not). I >> >>> don't think this is particularly valuable given that auto was >> >>> introduced to override the default NO when necessary; there's no need >> >>> for it with the default being YES. That functionality could be >> >>> maintained if there is a compelling use case, though. >> >> >> >> The policy that is there now is exactly how things should be configured >> >> for a host in a network protected by a proper router w/firewall. >> >> The existing "auto" does exactly the right thing. >> >> >> >>> >> >>> If you have any questions or feedback please follow up here or in the >> >>> review. >> > As Rodeney already effectively explains; dropping packets makes routing, >> > and discovery exceedingly difficult. Which is NOT what the average user >> > wants, >> > or expects. I use "set block-policy drop" in pf(4). But as already noted, >> > this is for "filtering" purposes. Your suggestion also has the negative >> > affect >> > of hanging remote ports. Which can result in other negative results by >> > peers. >> > >> > Please don't. :) >> >>> >> >>> >> > --Chris >> OK, now having actually read the (phab) review. I'm of the opposite >> opinion. >> Your review seems to make the right decision. :) > > You do get that the final effect of the change is that by default ALL > freeBSD boxes well be dropping ICMP REDIRECTS, both routers and end > nodes. > > I know first hand that this change WOULD break my network(s) in locations > that have more than 1 router as all of the interior hosts simply depend > on an ICMP redirect to get them using the optimal router after they > wrongly use the default router for a packet. > > A quick check on Ubunty 22.04 and Debian 12 indicate these are stlll > accepted by default on those systems. > > Again, this is gona be one of those "bite someone in the ass" and your > actually not providing any real security to anyone by making this change. > > If this is such a security issue, how come FREEFALL.freebsd.org still > has: > net.inet.icmp.drop_redirect: 0 > > Because it does not need to do that, because it is properly protected > by routers and firewalls that do the dropping for them. > > DOG food Dog FOOD DOG FOOD!!! Firstly, please accept my apology for incorrectly spelling your name. :/ Secondly, my "reversal" of opinion on the matter was based upon my assumption on what would be returned by "auto". Closer examination, and reviewing your reply here, I think you're right, as was my original response. Accepting the new changes, as you say; will bite me in the ass -- well, will make my job (and others) more challenging. While I can appreciate the intent to keep users from getting "spoofed" packets that lead them into trouble. I think this is more a matter of responsible (network) administration. Maybe a better solution could be sent from rc(8) if FreeBSD thinks you've made the wrong decision here? Because the proposed change(s) look to me to only make routing and discovery more problematic. Thanks for commenting, (and correcting me) Rodney. :) --Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c378be3fcea6439d16c5a605185590ca>