Andre Oppermann wrote:
Julian Elischer wrote:
I know WE don't generate non local icmp redirects but I notice that we
would forward them should someone else (malicious or not) generate them..
I think that we possibly should check for them in our forwarding code..
(of course you can stop them with the firewall but..)
thoughts?
The job of the forwarding code is to forward packets with little to
no exceptions. Dropping certain types of ICMP packets is out of scope
for the forwarding code. The proper place is a firewall.
IMHO we should disable emitting and acting upon ICMP redirects by default.
I know many places that rely on them heavily.. please don't do that..
Cisco PIX doesn't generate them.. it makes that machine a pain in the ****
to use in some situations.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
