Discarding inbound ICMP REDIRECT by default
- Reply: Marek Zarychta : "Re: Discarding inbound ICMP REDIRECT by default"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 07 May 2024 18:12:11 UTC
I propose that we start dropping inbound ICMP REDIRECTs by default, by setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and changing the associated rc.conf machinery). I've opened a Phabricator review at https://reviews.freebsd.org/D45102. ICMP REDIRECTs served a useful purpose in earlier networks, but on balance are more likely to represent a security issue today than to provide a routing benefit. With the change in review it is of course still possible to enable them if desired for a given installation. This change would appear in FreeBSD 15.0 and would not be MFC'd. One question raised in the review is about switching the default to YES but keeping the special handling for "auto" (dropping ICMP REDIRECT if a routing daemon is in use, honouring them if not). I don't think this is particularly valuable given that auto was introduced to override the default NO when necessary; there's no need for it with the default being YES. That functionality could be maintained if there is a compelling use case, though. If you have any questions or feedback please follow up here or in the review.