Blocking icmp router redirection (was: Blocking icmp)

To: debian-firewall@lists.debian.org
Subject: Blocking icmp router redirection (was: Blocking icmp)
From: Frank Matthieß <frankm@lug-owl.de>
Date: Mon, 2 Jun 2003 10:45:54 +0200
Message-id: <[🔎] 20030602084554.GU11406@dvmwest.gt.owl.de>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <87d6hy8sx4.fsf@enki.rimspace.net>
References: <20030529132248.GB401@hank.org> <87ptm1s3s1.fsf@enki.rimspace.net> <20030531072514.GA11406@dvmwest.gt.owl.de> <87d6hy8sx4.fsf@enki.rimspace.net>

Sonntag den  1.06.2003 um  3:53 CEST +0200, schrieb Daniel Pittman:
> On Sat, 31 May 2003, Frank Matthie wrote:
> > block router redirection - If there can only be one router on the other
> >                            end, block that.
> 
> This is the one point at which you are wrong. Many versions of Windows
> would respect the request for router redirection and happily start
> routing to anywhere you asked.
> 
> So, blocking that is sane ... not least of which because it's not really
> used. Just blocking the one *legal* source of these messages, though, is
> probably not a good idea.
> 
> If you want to allow it at all, allow it only from the legal
> source(s)...

Your point - ok, but my scenario is like this one:

LAN -> Router/Firewall -> ISP connection -> Router ISP

Why should my router "Router/Firewall" accept any router redirection from the
isp router "Router ISP"? This is the only way to go to the net. If this router
isn't ok, my link is broken.

Frank.
-- 
Frank Matthieß                                                frankm@lug-owl.de

Reply to:

Prev by Date: Re: transparent proxy with multiple squids?
Next by Date: Too slow connection
Previous by thread: Re: transparent proxy with multiple squids?
Next by thread: Too slow connection
Index(es):
- Date
- Thread