From owner-freebsd-security Sat Jan 30 14:08:49 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA22494 for freebsd-security-outgoing; Sat, 30 Jan 1999 14:08:49 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.gibralter.net (pollux.gibralter.net [208.220.166.6]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA22488 for ; Sat, 30 Jan 1999 14:08:45 -0800 (PST) (envelope-from rmuir@pollux.gibralter.net) Received: from sun0 (daemon.gibralter.net [208.240.114.198]) by mail.gibralter.net (8.9.1a/8.9.1a) with SMTP id RAA12943 for ; Sat, 30 Jan 1999 17:08:31 -0500 (EST) Message-Id: <199901302208.RAA12943@mail.gibralter.net> Date: Sat, 30 Jan 1999 17:08:06 -0500 (EST) From: the man Reply-To: the man Subject: icmp redirects To: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: YYcD4xZ0SdUEo2q+RZz9eA== X-Mailer: dtmail 1.3.0 CDE Version 1.3 SunOS 5.7 sun4m sparc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The other day I was having issues with a router at work sending me icmp redirect messages after I rebooted a firewall. I deleted the "D" flagged routes but I am searching for a permanent solution. I compiled an icmp-redirect sender from http://www.squirrel.com onto a solaris box for testing and first tried: # sysctl -w net.inet.ip.redirect=0 net.inet.ip.redirect: 1 -> 0 That still didnt prevent them. I suppose blocking icmp type 5 in ipfw rules would prevent them, but it seems a bit redundant to load ipfw on machines that are already firewalled. The next thing that bothered me was that I could add those same routes to my freebsd box at home (freebsd-2.2.8) that has ip forwarding enabled. I really dont like the idea of someone being able to send redirects etc to my gateway box. I believe linux has icmp redirects disabled by default if ip forwarding is enabled, and i also think it logs attempts to syslog. (I'm not sure about this, I don't deal with linux much). Could someone tell me a non-ipfw way of blocking these, and why it is not disabled by default if ip forwarding is on? ----------------------------------------------------- Robert Muir rmuir@gibralter.net, robert@coastal.cc.nc.us 252 633 3737 Someone thought The Big Red Button was a light switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message