Re: Discarding inbound ICMP REDIRECT by default
- Reply: Ed Maste : "Re: Discarding inbound ICMP REDIRECT by default"
- In reply to: Ed Maste : "Discarding inbound ICMP REDIRECT by default"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 07 May 2024 18:34:35 UTC
W dniu 7.05.2024 o 20:12, Ed Maste pisze: > I propose that we start dropping inbound ICMP REDIRECTs by default, by > setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and > changing the associated rc.conf machinery). I've opened a Phabricator > review at https://reviews.freebsd.org/D45102. > > ICMP REDIRECTs served a useful purpose in earlier networks, but on > balance are more likely to represent a security issue today than to > provide a routing benefit. With the change in review it is of course > still possible to enable them if desired for a given installation. > This change would appear in FreeBSD 15.0 and would not be MFC'd. > > One question raised in the review is about switching the default to > YES but keeping the special handling for "auto" (dropping ICMP > REDIRECT if a routing daemon is in use, honouring them if not). I > don't think this is particularly valuable given that auto was > introduced to override the default NO when necessary; there's no need > for it with the default being YES. That functionality could be > maintained if there is a compelling use case, though. > > If you have any questions or feedback please follow up here or in the review. > Thank you for submitting your inquiry to the community. I spotted it on Phabricator yesterday. It looks to me like a long-awaited, positive change. But what about IPv6 ? We have "net.inet6.icmp6.rediraccept" knob which defaults to 1. Can ICMPv6 redirects be fixed along with the change proposed for the legacy IP protocol? -- Marek Zarychta