From owner-freebsd-security Fri Jun 11 20:20:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id E666B14F02 for ; Fri, 11 Jun 1999 20:20:23 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id NAA08258; Sat, 12 Jun 1999 13:20:23 +1000 Date: Sat, 12 Jun 1999 13:20:21 +1000 (EST) From: Nicholas Brawn To: Dag-Erling Smorgrav Cc: Richard Childers , Dmitriy Bokiy , freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 11 Jun 1999, Dag-Erling Smorgrav wrote: > will give you the name of the source file where the variable is > defined (ip_input.c, which I or any other kernel hacker could've told > you without even needing grep). A quick scan of that file would show > you that this sysctl variable controls *sending* redirects. As for > receiving them, incoming ICMP packets are handled in ip_icmp.c (also > in /sys/netinet). They are always honored, and the only way to avoid > honoring them is to run a firewall. A good rule is to block all ICMP > except types 0,3,8,11. The paranoid will want to block 0 and 8 as > well. Blocking 11 prevents traceroute(8) from working, but should not > have any adverse effects on performance (I don't know of any place on > the globe with is more than 64 hops away from me). Blocking 3 > (UNREACH) is usually a bad idea. For those interested, here is a patch to /sys/netinet/ip_icmp.c that will enable the dropping of icmp redirects without requiring the use of IPFW or IPFilter (although it's a good idea to run either one of them). *** ip_icmp.c.orig Wed Jun 2 15:06:02 1999 --- ip_icmp.c Wed Jun 2 15:23:51 1999 *************** *** 42,47 **** --- 42,48 ---- #include #include #include + #include #include #include *************** *** 69,74 **** --- 70,79 ---- SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); + static int dropredirects = 0; + SYSCTL_INT(_net_inet_icmp, OID_AUTO, dropredirects, CTLFLAG_RW, + &dropredirects, 0, ""); + #ifdef ICMP_BANDLIM /* *************** *** 462,467 **** --- 467,479 ---- return; case ICMP_REDIRECT: + if (dropredirect) { + char buf[4 * sizeof "123"]; + strncpy(buf, inet_ntoa(icp->icmp_ip.ip_dst),sizeof(buf)); + log(LOG_INFO,"Received icmp redirect => dst %s to %s\n", + buf, inet_ntoa(icp->icmp_gwaddr)); + break; + } if (code > 3) goto badcode; if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) || *************** *** 484,490 **** strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst)); printf("redirect dst %s to %s\n", ! buf, inet_ntoa(icp->icmp_gwaddr)); } #endif icmpsrc.sin_addr = icp->icmp_ip.ip_dst; --- 496,502 ---- strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst)); printf("redirect dst %s to %s\n", ! buf, inet_ntoa(icp->icmp_gwaddr)); } #endif icmpsrc.sin_addr = icp->icmp_ip.ip_dst; Cheers, Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message