Re: Discarding inbound ICMP REDIRECT by default

From: Chris <bsd-lists_at_bsdforge.com>
Date: Fri, 14 Jun 2024 18:15:02 UTC
On 2024-06-14 05:50, Ed Maste wrote:
> On Wed, 12 Jun 2024 at 18:05, Chris <bsd-lists@bsdforge.com> wrote:
>> 
>> As Rodeney already effectively explains; dropping packets makes routing,
>> and discovery exceedingly difficult. Which is NOT what the average user
>> wants,
> 
> This is on end hosts only, not routers (which already drop ICMP REDIRECT).
> 
>> or expects. I use "set block-policy drop" in pf(4). But as already noted,
>> this is for "filtering" purposes. Your suggestion also has the negative
>> affect
>> of hanging remote ports. Which can result in other negative results by 
>> peers.
> 
> I don't follow -- how does a host not processing ICMP REDIRECT cause
> these effects?
It appears I may have overstated my point here. Dropping redirects isn't
(necessarily) out of line. I was thinking in terms of dropping (all) queries.
Which is wrong in this context. Sorry. :)
Thanks for taking the time to respond.

--Chris