Re: Discarding inbound ICMP REDIRECT by default
- In reply to: Ed Maste : "Re: Discarding inbound ICMP REDIRECT by default"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 14 Jun 2024 18:15:02 UTC
On 2024-06-14 05:50, Ed Maste wrote: > On Wed, 12 Jun 2024 at 18:05, Chris <bsd-lists@bsdforge.com> wrote: >> >> As Rodeney already effectively explains; dropping packets makes routing, >> and discovery exceedingly difficult. Which is NOT what the average user >> wants, > > This is on end hosts only, not routers (which already drop ICMP REDIRECT). > >> or expects. I use "set block-policy drop" in pf(4). But as already noted, >> this is for "filtering" purposes. Your suggestion also has the negative >> affect >> of hanging remote ports. Which can result in other negative results by >> peers. > > I don't follow -- how does a host not processing ICMP REDIRECT cause > these effects? It appears I may have overstated my point here. Dropping redirects isn't (necessarily) out of line. I was thinking in terms of dropping (all) queries. Which is wrong in this context. Sorry. :) Thanks for taking the time to respond. --Chris