Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
icmp redirects being passed from WAN to LAN by OPNSense
« previous
next »
Print
Pages: [
1
]
Author
Topic: icmp redirects being passed from WAN to LAN by OPNSense (Read 494 times)
sja1440
Jr. Member
Posts: 86
Karma: 6
icmp redirects being passed from WAN to LAN by OPNSense
«
on:
May 01, 2024, 06:00:43 pm »
Even though I have set System->Settings->Tunables net.inet.icmp.drop_redirect = 1 (which should cause the OS to drop icmp redirects) today I have captured on the LAN interface many icmp rediects (type 5 code 1) going to one of my LAN devices in response to outgoing UDP packets.
Is the pf firewall associating these incoming icmp redirects as part of the udp connection state? If not, how are they getting through?
Why didnt the tunable stop them?
What can I do to stop them getting through?
«
Last Edit: May 01, 2024, 07:55:18 pm by sja1440
»
Logged
Patrick M. Hausen
Hero Member
Posts: 6863
Karma: 577
Re: icmp redirects being passed from WAN to LAN by OPNSense
«
Reply #1 on:
May 01, 2024, 06:11:09 pm »
To my knowledge this tunable instructs the firewall to drop redirects directed at it. It does not prevent the firewall to send redirects to other devices - as it should, IMHO.
I am not 100% sure, though. Does someone know for certain?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
sja1440
Jr. Member
Posts: 86
Karma: 6
Re: icmp redirects being passed from WAN to LAN by OPNSense
«
Reply #2 on:
May 01, 2024, 06:25:08 pm »
Just to be clear, the icmp redirects were not generated on my firewall - they came from the internet.
Indeed, my understanding is that net.inet.icmp.drop_redirect being an
OS
tunable means that the icmp redirect shoudnt even have got to the firewall layer. Hence my surprise.
For what it is worth, I have also set the tunable net.inet.ip.redirect = 0 which should prevent my firewall from generating its own icmp redirects.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
icmp redirects being passed from WAN to LAN by OPNSense