From owner-freebsd-security Sat Jan 30 14:31:27 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA26745 for freebsd-security-outgoing; Sat, 30 Jan 1999 14:31:27 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA26735 for ; Sat, 30 Jan 1999 14:31:26 -0800 (PST) (envelope-from benedict@echonyc.com) Received: from localhost by echonyc.com (8.9.1/8.9.1) with ESMTP id RAA25476; Sat, 30 Jan 1999 17:31:24 -0500 (EST) Date: Sat, 30 Jan 1999 17:31:24 -0500 (EST) From: Snob Art Genre Reply-To: ben@rosengart.com To: the man cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp redirects In-Reply-To: <199901302208.RAA12943@mail.gibralter.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 30 Jan 1999, the man wrote: > I really dont like the idea of someone being able to send redirects > etc to my gateway box. > I believe linux has icmp redirects disabled by default if ip > forwarding is enabled, and i also think it logs attempts to syslog. > (I'm not sure about this, I don't deal with linux much). I like the Linux policy -- Bellovin and Cheswick, in _Firewalls and Internet Security_, say Redirect messages should only be obeyed by hosts, not routers, and only when the message comes from a router on a directly attached network. I think their reasoning is that routers should only acquire routing information by administrator-designated methods, i.e. static routes or dynamic routing protocols. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message