From owner-freebsd-net  Mon Nov  5  9:11:15 2001
Delivered-To: freebsd-net@freebsd.org
Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36])
	by hub.freebsd.org (Postfix) with ESMTP id 97D7237B417
	for <freebsd-net@FreeBSD.ORG>; Mon,  5 Nov 2001 09:11:13 -0800 (PST)
Received: (from rizzo@localhost)
	by iguana.aciri.org (8.11.3/8.11.1) id fA5H7ZY75153;
	Mon, 5 Nov 2001 09:07:35 -0800 (PST)
	(envelope-from rizzo)
Date: Mon, 5 Nov 2001 09:07:35 -0800
From: Luigi Rizzo <rizzo@aciri.org>
To: freebsd-net@FreeBSD.ORG
Subject: limiting outgoing ICMP's
Message-ID: <20011105090735.A75119@iguana.aciri.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.23i
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

There seems to be no knob to limit outgoing icmp's (redirects, no
route, and the like).  Wouldn't it be the case to add a sysctl
variable to rate-limit or disable such messages ?  I do not think
it makes a lot of sense to let our routers become reflectors for
certain types of DoS attacks.

	cheers
	luigi
----------------------------------+-----------------------------------------
 Luigi RIZZO, luigi@iet.unipi.it  . ACIRI/ICSI (on leave from Univ. di Pisa)
 http://www.iet.unipi.it/~luigi/  . 1947 Center St, Berkeley CA 94704
 Phone: (510) 666 2927
----------------------------------+-----------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message