forwarding icmp redirects.
Julian Elischer
julian at elischer.org
Thu Dec 29 21:01:55 PST 2005
Andre Oppermann wrote:
> Julian Elischer wrote:
>
>>I know WE don't generate non local icmp redirects but I notice that we
>>would forward them should someone else (malicious or not) generate them..
>>I think that we possibly should check for them in our forwarding code..
>>(of course you can stop them with the firewall but..)
>>
>>thoughts?
>
>
> The job of the forwarding code is to forward packets with little to
> no exceptions. Dropping certain types of ICMP packets is out of scope
> for the forwarding code. The proper place is a firewall.
>
> IMHO we should disable emitting and acting upon ICMP redirects by default.
I know many places that rely on them heavily.. please don't do that..
Cisco PIX doesn't generate them.. it makes that machine a pain in the ****
to use in some situations.
>
More information about the freebsd-net
mailing list