Date: 11 Jun 1999 19:28:27 +0200 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: "Richard Childers" <rchilders@hamquist.com> Cc: "Dmitriy Bokiy" <ratebor@cityline.ru>, <freebsd-security@FreeBSD.ORG> Subject: Re: Newbie questions: DoS & xinetd Message-ID: <xzpvhcuejes.fsf@flood.ping.uio.no> In-Reply-To: "Richard Childers"'s message of "Thu, 10 Jun 1999 12:12:51 -0700" References: <18819.990610@cityline.ru> <37600E33.9A11E641@hamquist.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Richard Childers" <rchilders@hamquist.com> writes: > For instance, if I wanted to search for all occurrences of the string > "net.inet.ip.redirect", I would do: > > # find / -type f -exec grep -i "net.inet.ip.redirect" {} \; -print Which starts a grep process for every file on disk, which - needless to say - is extremely inefficient. Use xargs. Anyway, there is no need to use find(1) to find information about net.inet.ip.redirect. Just: $ cd /sys/netinet $ grep 'SYSCTL.*redirect' *.c will give you the name of the source file where the variable is defined (ip_input.c, which I or any other kernel hacker could've told you without even needing grep). A quick scan of that file would show you that this sysctl variable controls *sending* redirects. As for receiving them, incoming ICMP packets are handled in ip_icmp.c (also in /sys/netinet). They are always honored, and the only way to avoid honoring them is to run a firewall. A good rule is to block all ICMP except types 0,3,8,11. The paranoid will want to block 0 and 8 as well. Blocking 11 prevents traceroute(8) from working, but should not have any adverse effects on performance (I don't know of any place on the globe with is more than 64 hops away from me). Blocking 3 (UNREACH) is usually a bad idea. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpvhcuejes.fsf>