Date: Fri, 15 Oct 1999 16:03:28 +0100 (BST) From: aledm@alice.net.uk To: FreeBSD-gnats-submit@freebsd.org Subject: kern/14350: disable ICMP Timestamp reply Message-ID: <199910151503.QAA26025@dinah.alice.net.uk>
next in thread | raw e-mail | index | archive | help
>Number: 14350
>Category: kern
>Synopsis: Security enhancement to ICMP
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Oct 15 22:50:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Aled Morris
>Release: FreeBSD 3.2-RELEASE i386
>Organization:
Alice Networks Ltd.
>Environment:
Stock 3.2 system installed in "security conscious" site
>Description:
User wanted to disable sending of replies to ICMP Timestamp requests
>How-To-Repeat:
FreeBSD has no knob to control this.
>Fix:
I implemented this knob; I defaulted it to "don't reply" which is permitted by
RFC1122 ("A host MAY implement Timestamp and Timestamp Reply." p.43)
Personally I'd probably leave it enabled on systems I run.
*** netinet/icmp_var.h.dist Fri Dec 4 04:21:25 1998
--- netinet/icmp_var.h Mon Oct 11 18:59:58 1999
***************
*** 68,80 ****
#define ICMPCTL_MASKREPL 1 /* allow replies to netmask requests */
#define ICMPCTL_STATS 2 /* statistics (read-only) */
#define ICMPCTL_ICMPLIM 3
! #define ICMPCTL_MAXID 4
#define ICMPCTL_NAMES { \
{ 0, 0 }, \
{ "maskrepl", CTLTYPE_INT }, \
{ "stats", CTLTYPE_STRUCT }, \
{ "icmplim", CTLTYPE_INT }, \
}
#ifdef KERNEL
--- 68,82 ----
#define ICMPCTL_MASKREPL 1 /* allow replies to netmask requests */
#define ICMPCTL_STATS 2 /* statistics (read-only) */
#define ICMPCTL_ICMPLIM 3
! #define ICMPCTL_TIMEREPL 4
! #define ICMPCTL_MAXID 5
#define ICMPCTL_NAMES { \
{ 0, 0 }, \
{ "maskrepl", CTLTYPE_INT }, \
{ "stats", CTLTYPE_STRUCT }, \
{ "icmplim", CTLTYPE_INT }, \
+ { "timerepl", CTLTYPE_INT }, \
}
#ifdef KERNEL
*** netinet/ip_icmp.c.dist Sat Mar 6 23:11:41 1999
--- netinet/ip_icmp.c Mon Oct 11 18:57:41 1999
***************
*** 65,70 ****
--- 65,74 ----
SYSCTL_STRUCT(_net_inet_icmp, ICMPCTL_STATS, stats, CTLFLAG_RD,
&icmpstat, icmpstat, "");
+ static int icmptimerepl = 0;
+ SYSCTL_INT(_net_inet_icmp, ICMPCTL_TIMEREPL, timerepl, CTLFLAG_RW,
+ &icmptimerepl, 0, "");
+
static int icmpmaskrepl = 0;
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "");
***************
*** 406,411 ****
--- 410,417 ----
goto reflect;
case ICMP_TSTAMP:
+ if (icmptimerepl == 0)
+ break;
if (!icmpbmcastecho
&& (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcasttstamp++;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910151503.QAA26025>