From owner-freebsd-security  Wed Oct 31 18:22: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1])
	by hub.freebsd.org (Postfix) with ESMTP id 5B89237B403
	for <freebsd-security@freebsd.org>; Wed, 31 Oct 2001 18:21:40 -0800 (PST)
Received: (from root@localhost)
	by cage.simianscience.com (8.11.6/8.11.6) id fA12Lc350454;
	Wed, 31 Oct 2001 21:21:38 -0500 (EST)
	(envelope-from mike@sentex.net)
Received: from chimp.sentex.net (fcage [192.168.0.2])
	by cage.simianscience.com (8.11.6/8.11.6av) with ESMTP id fA12LXC50446;
	Wed, 31 Oct 2001 21:21:33 -0500 (EST)
	(envelope-from mike@sentex.net)
Message-Id: <5.1.0.14.0.20011031211852.06278230@192.168.0.12>
X-Sender: mdtancsa@192.168.0.12
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 31 Oct 2001 21:21:31 -0500
To: Spades <spades@galaxynet.org>
From: Mike Tancsa <mike@sentex.net>
Subject: Re: IDS135/ICMP_ICMP-REDIRECT_HOST  
Cc: freebsd-security@freebsd.org
In-Reply-To: <3.0.32.20011101103631.02115a1c@smtp.magix.com.sg>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: by AMaViS perl-10
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


I believe yes.  If you add the keyword log, it will tell you what its 
denying so you can verify for yourself.  You dont want to eat all ICMP 
traffic as some of it is desirable.  An alternative to dealing with icmp 
redirects is to do it via sysctl.  See sysctl -a net.inet.icmp. Specifically,
net.inet.icmp.drop_redirect
and
net.inet.icmp.log_redirect

         ---Mike

At 10:36 AM 11/1/2001 +0800, Spades wrote:
>Just a quick question..
>
>By default of denying all incoming/outgoing ICMP via
>ipfw using: ipfw add 120 deny icmp from any to any
>
>Does it deny ICMP-REDIRECT packets?
>
>Bryan
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message

--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message