Date: Sat, 30 Jan 1999 17:08:06 -0500 (EST) From: the man <rmuir@gibralter.net> To: freebsd-security@FreeBSD.ORG Subject: icmp redirects Message-ID: <199901302208.RAA12943@mail.gibralter.net>
index | next in thread | raw e-mail
The other day I was having issues with a router at work sending me icmp redirect messages after I rebooted a firewall. I deleted the "D" flagged routes but I am searching for a permanent solution. I compiled an icmp-redirect sender from http://www.squirrel.com onto a solaris box for testing and first tried: # sysctl -w net.inet.ip.redirect=0 net.inet.ip.redirect: 1 -> 0 That still didnt prevent them. I suppose blocking icmp type 5 in ipfw rules would prevent them, but it seems a bit redundant to load ipfw on machines that are already firewalled. The next thing that bothered me was that I could add those same routes to my freebsd box at home (freebsd-2.2.8) that has ip forwarding enabled. I really dont like the idea of someone being able to send redirects etc to my gateway box. I believe linux has icmp redirects disabled by default if ip forwarding is enabled, and i also think it logs attempts to syslog. (I'm not sure about this, I don't deal with linux much). Could someone tell me a non-ipfw way of blocking these, and why it is not disabled by default if ip forwarding is on? ----------------------------------------------------- Robert Muir rmuir@gibralter.net, robert@coastal.cc.nc.us 252 633 3737 Someone thought The Big Red Button was a light switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901302208.RAA12943>