Date: Sat, 12 Jun 1999 13:20:21 +1000 (EST) From: Nicholas Brawn <ncb@zip.com.au> To: Dag-Erling Smorgrav <des@flood.ping.uio.no> Cc: Richard Childers <rchilders@hamquist.com>, Dmitriy Bokiy <ratebor@cityline.ru>, freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd Message-ID: <Pine.LNX.4.05.9906121313250.7720-100000@zipper.zip.com.au> In-Reply-To: <xzpvhcuejes.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11 Jun 1999, Dag-Erling Smorgrav wrote:
> will give you the name of the source file where the variable is
> defined (ip_input.c, which I or any other kernel hacker could've told
> you without even needing grep). A quick scan of that file would show
> you that this sysctl variable controls *sending* redirects. As for
> receiving them, incoming ICMP packets are handled in ip_icmp.c (also
> in /sys/netinet). They are always honored, and the only way to avoid
> honoring them is to run a firewall. A good rule is to block all ICMP
> except types 0,3,8,11. The paranoid will want to block 0 and 8 as
> well. Blocking 11 prevents traceroute(8) from working, but should not
> have any adverse effects on performance (I don't know of any place on
> the globe with is more than 64 hops away from me). Blocking 3
> (UNREACH) is usually a bad idea.
For those interested, here is a patch to /sys/netinet/ip_icmp.c that will
enable the dropping of icmp redirects without requiring the use of IPFW or
IPFilter (although it's a good idea to run either one of them).
*** ip_icmp.c.orig Wed Jun 2 15:06:02 1999
--- ip_icmp.c Wed Jun 2 15:23:51 1999
***************
*** 42,47 ****
--- 42,48 ----
#include <sys/time.h>
#include <sys/kernel.h>
#include <sys/sysctl.h>
+ #include <sys/syslog.h>
#include <net/if.h>
#include <net/route.h>
***************
*** 69,74 ****
--- 70,79 ----
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "");
+ static int dropredirects = 0;
+ SYSCTL_INT(_net_inet_icmp, OID_AUTO, dropredirects, CTLFLAG_RW,
+ &dropredirects, 0, "");
+
#ifdef ICMP_BANDLIM
/*
***************
*** 462,467 ****
--- 467,479 ----
return;
case ICMP_REDIRECT:
+ if (dropredirect) {
+ char buf[4 * sizeof "123"];
+ strncpy(buf, inet_ntoa(icp->icmp_ip.ip_dst),sizeof(buf));
+ log(LOG_INFO,"Received icmp redirect => dst %s to %s\n",
+ buf, inet_ntoa(icp->icmp_gwaddr));
+ break;
+ }
if (code > 3)
goto badcode;
if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) ||
***************
*** 484,490 ****
strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst));
printf("redirect dst %s to %s\n",
! buf, inet_ntoa(icp->icmp_gwaddr));
}
#endif
icmpsrc.sin_addr = icp->icmp_ip.ip_dst;
--- 496,502 ----
strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst));
printf("redirect dst %s to %s\n",
! buf, inet_ntoa(icp->icmp_gwaddr));
}
#endif
icmpsrc.sin_addr = icp->icmp_ip.ip_dst;
Cheers,
Nick
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.05.9906121313250.7720-100000>