Re: forwarding icmp redirects.

From: Andre Oppermann <andre@xxxxxxxxxxx>
Date: Fri, 30 Dec 2005 01:07:13 +0100

Julian Elischer wrote:
>
> I know WE don't generate non local icmp redirects but I notice that we
> would forward them should someone else (malicious or not) generate them..
> I think that we possibly should check for them in our forwarding code..
> (of course you can stop them with the firewall but..)
>
> thoughts?

The job of the forwarding code is to forward packets with little to
no exceptions. Dropping certain types of ICMP packets is out of scope
for the forwarding code. The proper place is a firewall.

IMHO we should disable emitting and acting upon ICMP redirects by default.

--
Andre
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: forwarding icmp redirects.
  - From: Julian Elischer

References:
- forwarding icmp redirects.
  - From: Julian Elischer

Prev by Date: Re: Writing a netgraph module
Next by Date: Re: Routing SMP benefit
Previous by thread: Re: forwarding icmp redirects.
Next by thread: Re: forwarding icmp redirects.
Index(es):
- Date
- Thread

Relevant Pages

Re: forwarding icmp redirects.
... Andre Oppermann wrote: ... I think that we possibly should check for them in our forwarding code.. ... Dropping certain types of ICMP packets is out of scope ... The proper place is a firewall. ...
(freebsd-net)
Re: Proxy arp problem
... >> the PC now behind the firewall. ... >> default routers arp cache, unfortunatly I do not have access to this ... Could be a problem with ICMP redirects if your servers are also on the same ... subnet as the firewall interfaces and default router. ...
(comp.security.firewalls)