[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP tunnel setup
 Date:  Tue, 8 Feb 2005 20:58:44 -0500
On Tue, 8 Feb 2005 13:30:01 -0800 (PST), Fred Wright <fw at well dot com> wrote:
> Yes, and not only is a route on the default gateway alone usually
> *suf*ficent, but also it's *ef*ficient if the gateway generates ICMP
> Redirects and they're honored by the clients.

Good to see ya back from being MIA for a while, Fred.  :)  Always
enjoy your excellent insight.

Efficient, absolutely.  Secure?  Depends on how much you can trust
your LAN.  As with many TCP/IP features, this is a good thing from a
performance and functionality standpoint, but bad from a security
standpoint.  This can be abused by any system on your LAN to basically
manipulate your routing table at will.  Most likely for the purpose of
playing man in the middle or sniffing your connections.

Of course even if you disable ICMP redirects, there are other means to
the same end, like ARP poisoning for one, and more measures to protect
against those.

My point, I suppose, is don't allow your hosts to obey ICMP redirects
if you have good reason to be paranoid about other machines on your
LAN.  :)