> Setting net.inet.ip.check_interface=1 on FreeBSD stopped any ICMP Echo
> replies immediately.
>
> On NetBSD I set net.inet.ip.checkinterface=1 and it showed the same
> behaviour like FreeBSD. No replies anymore, whenever the "wrong"
> interface was contacted.
How many users set those variables?
A global seems this is a misguided place to establish such a policy.
If it was good and neccessary for everyone on all interfaces and had no
downsides, they would have turned it on. But they didn't.
A similar feature "urpf-failed" which is more nuanced is available in
pf.conf, and you can properly use it on a per-interface basis, also
selecting to do so based un other per-rule options, rather than having
a 'global rule'.
Something blocked FreeBSD or NetBSD from turning this into the default.
What was that reason -- was it too damaging?
(I'm going to assume the people with so-called 'strong' views didn't win
the battle, and the so-called 'weak' view pervailed, probably because
the 'strong' option created breakage and prevents the dominant
operational model of Getting-Shit-Done. That's why I ask how many
people in real life subscribe the 'strong' view by turning on this
option in FreeBSD/NetBSD. 3 people or is it 2? In my experience,
everyone is so busy getting on about their lives they don't flip any
knobs which don't provide an immediately confirmable and neccessary
value).
from source port source os source to dest port dest
This rule applies only to packets with the specified source and
destination addresses and ports.
Addresses can be specified in CIDR notation (matching netblocks),
as symbolic host names, interface names or interface group names,
or as any of the following keywords:
any Any address.
no-route Any address which is not currently routable.
route label Any address matching the given route(8) label.
self Expands to all addresses assigned to all interfaces.
<table> Any address matching the given table.
urpf-failed Any source address that fails a unicast reverse path
forwarding (URPF) check, i.e. packets coming in on
an interface other than that which holds the route
back to the packet's source address.
Convince us we should change to the strong model, and I'll embrace it.
You won't convince us to make a global which people don't understand...
