Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent ICMP redirects not default Tunable #3410

Closed
AhnHEL opened this issue Apr 12, 2019 · 4 comments
Closed

Prevent ICMP redirects not default Tunable #3410

AhnHEL opened this issue Apr 12, 2019 · 4 comments
Assignees
@AdSchellevis
Labels
cleanup Low impact changes

Comments

@AhnHEL
Copy link

AhnHEL commented Apr 12, 2019
edited
Loading

This issue has been reported by Keropiko in the forum since 19.1.3 but has not been resolved or addressed by a Dev. I can confirm this issue still exists in 19.1.6

See the following post for details:

https://forum.opnsense.org/index.php?topic=11956.msg54541#msg54541

Tunable appears to default to off instead of on as it should.

net.inet.icmp.drop_redirect=default (0) and must manually be edited to (1).
@AdSchellevis
Copy link
Member

This only influences new installs / factory resets b424a2f
We didn't intent to change defaults for existing installs. Its intentional, as stated in the release notes:

o system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)

@AdSchellevis AdSchellevis added the support Community support label Apr 13, 2019
@AhnHEL
Copy link
Author

AhnHEL commented Apr 14, 2019
edited
Loading

Are these rules handled like the firewall rules processing order (from top to bottom) because I see them duplicated now at the bottom of the list after hitting the "Default" Red button now in System: Settings: Tunables?

The file at src/etc/config.xml.sample has these tunables duplicated in them.

@AdSchellevis
Copy link
Member

They shouldn't duplicate, but if you want to be sure what the current value is, on a console execute:

sysctl net.inet.icmp.drop_redirect

I'll take a look at the tunables/default button, but you can always remove the first (faulty) entry to make sure you have the correct setting.

@AdSchellevis
Copy link
Member

@AhnHEL I've removed the duplicates in 6101ba8, you can fix manually by removing the wrong entries. It looks like I missed the values already there. Thanks for the report.

@AdSchellevis AdSchellevis self-assigned this Apr 15, 2019
@AdSchellevis AdSchellevis added cleanup Low impact changes and removed support Community support labels Apr 15, 2019
fichtner pushed a commit that referenced this issue Apr 15, 2019
@AdSchellevis @fichtner
sysct, remove duplicates. closes #3410
4fc9696 
(cherry picked from commit 6101ba8)
EugenMayer pushed a commit to KontextWork/opnsense_core that referenced this issue Jul 22, 2019
@AdSchellevis @EugenMayer
sysct, remove duplicates. closes opnsense#3410
ab39acf
EugenMayer pushed a commit to KontextWork/opnsense_core that referenced this issue Jul 22, 2019
@AdSchellevis @EugenMayer
sysct, remove duplicates. closes opnsense#3410
d711f02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
cleanup Low impact changes
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AdSchellevis @AhnHEL