Re: Discarding inbound ICMP REDIRECT by default

From: Ed Maste <emaste_at_freebsd.org>
Date: Fri, 14 Jun 2024 14:51:03 UTC
On Fri, 14 Jun 2024 at 09:52, Rodney W. Grimes
<freebsd-rwg@gndrsh.dnsmgr.net> wrote:
> >
> > I would argue that having IP forwarding enabled (i.e.
> > net.inet.ip.forwarding for IPv4) is what establishes FreeBSD as a
> > router, and ICMP REDIRECT messages are already dropped in kernel in
> > that case.
>
> Yet another mistake by FreeBSD.  These ICMP dropping or not dropping
> are SITE SPECIFIC POLICIES, and should never be hard coded to wrong
> knobs.

This change dates to 2004:

commit 87c3bd275523515dc67444b900a8f1d39ae257cd
Author: Andre Oppermann <andre@FreeBSD.org>
Date:   Tue Jan 6 23:20:07 2004 +0000

    According to RFC1812 we have to ignore ICMP redirects when we
    are acting as router (ipforwarding enabled).

    This doesn't fix the problem that host routes from ICMP redirects
    are never removed from the kernel routing table but removes the
    problem for machines doing packet forwarding.

RFC1812 is not quite that explicit, but:

| A router using a routing protocol (other than static routes) MUST NOT
| consider paths learned from ICMP Redirects when forwarding a packet.
| If a router is not using a routing protocol, a router MAY have a
| configuration that, if set, allows the router to consider routes
| learned through ICMP Redirects when forwarding packets.