From owner-freebsd-security Sun Jun 13 3:50:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 898F414D72 for ; Sun, 13 Jun 1999 03:50:15 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id MAA21681; Sun, 13 Jun 1999 12:50:07 +0200 (CEST) (envelope-from des) To: Nicholas Brawn Cc: Dag-Erling Smorgrav , Richard Childers , Dmitriy Bokiy , freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd References: From: Dag-Erling Smorgrav Date: 13 Jun 1999 12:50:06 +0200 In-Reply-To: Nicholas Brawn's message of "Sat, 12 Jun 1999 13:20:21 +1000 (EST)" Message-ID: Lines: 89 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicholas Brawn writes: > For those interested, here is a patch to /sys/netinet/ip_icmp.c that will > enable the dropping of icmp redirects without requiring the use of IPFW or > IPFilter (although it's a good idea to run either one of them). Here's a better patch: Index: src/sys/netinet/ip_icmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.34 diff -u -r1.34 ip_icmp.c --- ip_icmp.c 1999/03/06 23:10:42 1.34 +++ ip_icmp.c 1999/06/13 10:41:47 @@ -69,6 +69,14 @@ SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); +static int logredirect = 0; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, logredirect, CTLFLAG_RW, + &logredirect, 0, ""); + +static int dropredirect = 0; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, dropredirect, CTLFLAG_RW, + &dropredirect, 0, ""); + #ifdef ICMP_BANDLIM /* @@ -462,6 +470,15 @@ return; case ICMP_REDIRECT: + if (logredirect) { + char from[4 * sizeof "123"], dst[4 * sizeof "123"]; + strcpy(from, inet_ntoa(icp->ip_src)); + strcpy(dst, inet_ntoa(icp->icmp_ip.ip_dst)); + printf("icmp_redirect from %s: %s => %s\n", + from, dst, inet_ntoa(icp->icmp_gwaddr)); + } + if (dropredirect) + break; if (code > 3) goto badcode; if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) || Index: src/etc/rc.network =================================================================== RCS file: /home/ncvs/src/etc/rc.network,v retrieving revision 1.47 diff -u -r1.47 rc.network --- rc.network 1999/06/08 13:00:30 1.47 +++ rc.network 1999/06/13 10:48:08 @@ -164,6 +164,16 @@ echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null fi + + if [ "X$icmp_dropredirect" = X"YES" ]; then + echo -n ' ignore ICMP redirect=YES' + sysctl -w net.inet.icmp.dropredirect=1 >/dev/null + fi + + if [ "X$icmp_logredirect" = X"YES" ]; then + echo -n ' log ICMP redirect=YES' + sysctl -w net.inet.icmp.logredirect=1 >/dev/null + fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' Index: src/etc/defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.10 diff -u -r1.10 rc.conf --- rc.conf 1999/06/05 05:45:57 1.10 +++ rc.conf 1999/06/13 10:44:09 @@ -42,6 +42,8 @@ tcp_extensions="NO" # Set to Yes to turn on RFC1323 extensions. log_in_vain="NO" # Disallow bad connection logging (or YES). tcp_keepalive="YES" # Kill dead TCP connections (or NO). +icmp_dropredirect="NO" # Set to YES to ignore ICMP REDIRECT packets +icmp_logredirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="lo0" # List of network interfaces (lo0 is loopback). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. #ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message