forwarding icmp redirects.

Andre Oppermann andre at freebsd.org
Thu Dec 29 16:07:18 PST 2005


Julian Elischer wrote:
> 
> I know WE don't generate non local icmp redirects but I notice that we
> would forward them should someone else (malicious or not) generate them..
> I think that we possibly should check for them in our forwarding code..
> (of course you can stop them with the firewall but..)
> 
> thoughts?

The job of the forwarding code is to forward packets with little to
no exceptions.  Dropping certain types of ICMP packets is out of scope
for the forwarding code.  The proper place is a firewall.

IMHO we should disable emitting and acting upon ICMP redirects by default.

-- 
Andre


More information about the freebsd-net mailing list