icmp redirects being passed from WAN to LAN by OPNSense

Started by sja1440, May 01, 2024, 06:00:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 01, 2024, 06:00:43 PM Last Edit: May 01, 2024, 07:55:18 PM by sja1440
Even though I have set  System->Settings->Tunables  net.inet.icmp.drop_redirect = 1 (which should cause the OS to drop icmp redirects) today I have captured on the LAN interface many icmp rediects (type 5  code 1) going to one of my LAN devices in response to outgoing UDP packets.

Is the pf firewall  associating these incoming icmp redirects as part of the udp connection state? If not, how are they getting through?

Why didnt the tunable stop them?

What can I do to stop them getting through?
May 01, 2024, 06:11:09 PM #1
To my knowledge this tunable instructs the firewall to drop redirects directed at it. It does not prevent the firewall to send redirects to other devices - as it should, IMHO.

I am not 100% sure, though. Does someone know for certain?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 01, 2024, 06:25:08 PM #2
Just to be clear, the icmp redirects were not generated on my firewall - they came from the internet.

Indeed, my understanding is that net.inet.icmp.drop_redirect being an OS tunable means that the icmp redirect shoudnt even have got to the firewall layer. Hence my surprise.

For what it is worth, I have also set the tunable net.inet.ip.redirect = 0 which should prevent my firewall from generating its own icmp redirects.
Print
Go Up Pages1
User actions