From a95f9439656293631408cd186f78ac059eea58b5 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Sun, 17 May 2020 11:22:02 +0200 Subject: [PATCH] tunables: default net.inet.icmp.reply_from_interface to 1. The helpt text (man icmp) suggests this is a better default in our usecase: ----------- (boolean) Use the IP address of the interface the packet came through in for responses to packets which are not directly addressed to us. If enabled, this rule is processed before all others. By default, continue with normal source selection. Enabling this option is particularly useful on routers because it makes external traceroutes show the actual path a packet has taken instead of the possibly different return path. ----------- ref https://github.com/opnsense/core/issues/4094 --- src/etc/inc/system.inc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 606593531..20ad587ff 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -84,6 +84,7 @@ function get_default_sysctl_value($id) 'net.inet.icmp.drop_redirect' => '0', 'net.inet.icmp.icmplim' => '0', 'net.inet.icmp.log_redirect' => '0', + 'net.inet.icmp.reply_from_interface' => '1', 'net.inet.ip.accept_sourceroute' => '0', 'net.inet.ip.intr_queue_maxlen' => '1000', 'net.inet.ip.portrange.first' => '1024', @@ -132,7 +133,8 @@ function system_sysctl_get() 'net.enc.in.ipsec_filter_mask' => 'default', 'net.enc.out.ipsec_bpf_mask' => 'default', 'net.enc.out.ipsec_filter_mask' => 'default', - 'net.local.dgram.maxdgram' => 'default', + 'net.inet.icmp.reply_from_interface' => 'default', + 'net.local.dgram.maxdgram' => 'default' ); foreach (config_read_array('sysctl', 'item') as $tunable) {