Date: Tue, 7 May 2024 20:34:35 +0200 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: freebsd-net@freebsd.org Subject: Re: Discarding inbound ICMP REDIRECT by default Message-ID: <db22086a-5327-4d3f-b6ac-b5cfe630fa20@plan-b.pwste.edu.pl> In-Reply-To: <CAPyFy2CKZFf6QF1j-kWPG%2B3yetjNSszdCnJF=T6-hPmozheYYw@mail.gmail.com> References: <CAPyFy2CKZFf6QF1j-kWPG%2B3yetjNSszdCnJF=T6-hPmozheYYw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
W dniu 7.05.2024 o 20:12, Ed Maste pisze: > I propose that we start dropping inbound ICMP REDIRECTs by default, by > setting the net.inet.icmp.drop_redirect sysctl to 1 by default (and > changing the associated rc.conf machinery). I've opened a Phabricator > review at https://reviews.freebsd.org/D45102. > > ICMP REDIRECTs served a useful purpose in earlier networks, but on > balance are more likely to represent a security issue today than to > provide a routing benefit. With the change in review it is of course > still possible to enable them if desired for a given installation. > This change would appear in FreeBSD 15.0 and would not be MFC'd. > > One question raised in the review is about switching the default to > YES but keeping the special handling for "auto" (dropping ICMP > REDIRECT if a routing daemon is in use, honouring them if not). I > don't think this is particularly valuable given that auto was > introduced to override the default NO when necessary; there's no need > for it with the default being YES. That functionality could be > maintained if there is a compelling use case, though. > > If you have any questions or feedback please follow up here or in the review. > Thank you for submitting your inquiry to the community. I spotted it on Phabricator yesterday. It looks to me like a long-awaited, positive change. But what about IPv6 ? We have "net.inet6.icmp6.rediraccept" knob which defaults to 1. Can ICMPv6 redirects be fixed along with the change proposed for the legacy IP protocol? -- Marek Zarychta
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?db22086a-5327-4d3f-b6ac-b5cfe630fa20>