On 11/14/06, Peter Allgeyer <[EMAIL PROTECTED]> wrote:
Am Montag, den 13.11.2006, 18:14 -0600 schrieb Bill Marquette:
> This:
> net.inet.icmp.drop_redirect
> is NOT the same as:
> net.inet.ip.redirect
Ah, my fault, sure you're right. I meant I've played with
net.inet.ip.redirect. I do know what net.inet.icmp.drop_redirect is for
and that it's wise to enable it on a security device.
> But we default pfsense to not
> issuing redirects regardless.
Issuing redirects is some sort of standard TCP/IP behaviour, isn't is?
If someone thinks about not issuing them, he might know, why.
Bad network design (I'm actually not going to pop open the Stevens
book to defend whether or not this is required behavior - it's bad
design). Actually, doing stuff like this is likely to screw up your
state table. State will be created for the first packet and there's a
good chance that at least part of the flow will hit the firewall again
and be out of state, prematurely disconnecting your flow. I've spent
WAYYY too many hours troubleshooting networks that made use of ICMP
redirects to make the network work, it's just not worth it.
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
