From owner-freebsd-hackers Sun Sep 20 08:44:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA10396 for freebsd-hackers-outgoing; Sun, 20 Sep 1998 08:44:20 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA10368 for ; Sun, 20 Sep 1998 08:44:16 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 19547 invoked by uid 1001); 20 Sep 1998 15:43:48 +0000 (GMT) To: tlambert@primenet.com Cc: rotel@indigo.ie, hackers@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: problem using 3 x znyx314 cards for 12 de ethernets In-Reply-To: Your message of "Fri, 18 Sep 1998 03:11:14 +0000 (GMT)" References: <199809180311.UAA00693@usr04.primenet.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 20 Sep 1998 17:43:48 +0200 Message-ID: <19545.906306228@verdi.nethelp.no> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > These are different issues, someone can be partly responsible for > > a smurf attack without ever realising it and (more importantly) > > without _their_ security/quality of service being compromised. I > > don't care how many boxes get hacked as long as they aren't mine, > > but it's reasonable to complain about a configuration which makes > > it too easy for script kiddies to exploit the ineptitude or > > carelessness of admins to affect _other_ competant and careful > > admins boxes. > > > > It's akin to shipping sendmail with open relaying. > > If you want a C2 hardened system, quit pussyfooting around and start > addressing the real issues leading up to C2 certification. Otherwise, > griping about something that will never happen given a correctly > configured firewall, and which "fixing" will break a behaviour that > is universally known to be useful, seems a bit counter-productive. This whole discussion is moot. The default ICMP broadcast behavior for FreeBSD was changed recently: 34c34 < * $Id: ip_icmp.c,v 1.30 1998/05/26 11:34:30 dg Exp $ --- > * $Id: ip_icmp.c,v 1.31 1998/09/15 10:49:03 jkoshy Exp $ 72c72 < static int icmpbmcastecho = 1; --- > static int icmpbmcastecho = 0; Also, I just submitted patches to separate the broadcast and multicast echo functionality, with the broadcast echo defaulting to off and the multicast echo defaulting to on, as suggested by both Bill Fenner and myself. That way the ping bombers won't have quite as easy a time with FreeBSD boxes, and Terry Lambert will still be able to get a reply from the FreeBSD boxes on his LAN by pinging 224.0.0.1. Everybody happy now? :-) Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- *** ip_icmp.c.orig Tue Sep 15 12:49:03 1998 --- ip_icmp.c Sun Sep 20 16:57:40 1998 *************** *** 69,76 **** SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); ! static int icmpbmcastecho = 0; ! SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho, 0, ""); #ifdef ICMPPRINTFS --- 69,84 ---- SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); ! static int icmpbcastecho = 0; ! SYSCTL_INT(_net_inet_icmp, OID_AUTO, bcastecho, CTLFLAG_RW, &icmpbcastecho, ! 0, ""); ! ! static int icmpmcastecho = 1; ! SYSCTL_INT(_net_inet_icmp, OID_AUTO, mcastecho, CTLFLAG_RW, &icmpmcastecho, ! 0, ""); ! ! static int icmptstampreply = 0; ! SYSCTL_INT(_net_inet_icmp, OID_AUTO, tstampreply, CTLFLAG_RW, &icmptstampreply, 0, ""); #ifdef ICMPPRINTFS *************** *** 374,381 **** break; case ICMP_ECHO: ! if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) { icmpstat.icps_bmcastecho++; break; } --- 382,394 ---- break; case ICMP_ECHO: ! if (!icmpbcastecho ! && (m->m_flags & M_BCAST) != 0) { ! icmpstat.icps_bmcastecho++; ! break; ! } ! if (!icmpmcastecho ! && (m->m_flags & M_MCAST) != 0) { icmpstat.icps_bmcastecho++; break; } *************** *** 383,393 **** goto reflect; case ICMP_TSTAMP: ! if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) { ! icmpstat.icps_bmcasttstamp++; break; - } if (icmplen < ICMP_TSLEN) { icmpstat.icps_badlen++; break; --- 396,403 ---- goto reflect; case ICMP_TSTAMP: ! if (!icmptstampreply) break; if (icmplen < ICMP_TSLEN) { icmpstat.icps_badlen++; break; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message