Even though I have set System->Settings->Tunables net.inet.icmp.drop_redirect = 1 (which should cause the OS to drop icmp redirects) today I have captured on the LAN interface many icmp rediects (type 5 code 1) going to one of my LAN devices in response to outgoing UDP packets.
Is the pf firewall associating these incoming icmp redirects as part of the udp connection state? If not, how are they getting through?
Why didnt the tunable stop them?
What can I do to stop them getting through?
To my knowledge this tunable instructs the firewall to drop redirects directed at it. It does not prevent the firewall to send redirects to other devices - as it should, IMHO.
I am not 100% sure, though. Does someone know for certain?
Just to be clear, the icmp redirects were not generated on my firewall - they came from the internet.
Indeed, my understanding is that net.inet.icmp.drop_redirect being an OS tunable means that the icmp redirect shoudnt even have got to the firewall layer. Hence my surprise.
For what it is worth, I have also set the tunable net.inet.ip.redirect = 0 which should prevent my firewall from generating its own icmp redirects.