Date: Wed, 31 Oct 2001 21:21:31 -0500 From: Mike Tancsa <mike@sentex.net> To: Spades <spades@galaxynet.org> Cc: freebsd-security@freebsd.org Subject: Re: IDS135/ICMP_ICMP-REDIRECT_HOST Message-ID: <5.1.0.14.0.20011031211852.06278230@192.168.0.12> In-Reply-To: <3.0.32.20011101103631.02115a1c@smtp.magix.com.sg>
next in thread | previous in thread | raw e-mail | index | archive | help
I believe yes. If you add the keyword log, it will tell you what its
denying so you can verify for yourself. You dont want to eat all ICMP
traffic as some of it is desirable. An alternative to dealing with icmp
redirects is to do it via sysctl. See sysctl -a net.inet.icmp. Specifically,
net.inet.icmp.drop_redirect
and
net.inet.icmp.log_redirect
---Mike
At 10:36 AM 11/1/2001 +0800, Spades wrote:
>Just a quick question..
>
>By default of denying all incoming/outgoing ICMP via
>ipfw using: ipfw add 120 deny icmp from any to any
>
>Does it deny ICMP-REDIRECT packets?
>
>Bryan
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011031211852.06278230>