From owner-freebsd-questions@FreeBSD.ORG Sun Apr 10 11:51:17 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29A0716A4CE; Sun, 10 Apr 2005 11:51:17 +0000 (GMT) Received: from mx1.mail.ru (mx1.mail.ru [194.67.23.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5CE143D2D; Sun, 10 Apr 2005 11:51:16 +0000 (GMT) (envelope-from infofarmer@mail.ru) Received: from [83.237.13.12] (port=4996 helo=[172.17.0.69]) by mx1.mail.ru with asmtp id 1DKayB-0008r4-00; Sun, 10 Apr 2005 15:51:15 +0400 Message-ID: <42591335.7060906@mail.ru> Date: Sun, 10 Apr 2005 15:51:17 +0400 From: "Andrew P." User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Sergey Matveychuk References: <42590AB3.3070106@FreeBSD.org> In-Reply-To: <42590AB3.3070106@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: questions@FreeBSD.org Subject: Re: route entries after ICMP redirect X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: infofarmer@mail.ru List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Apr 2005 11:51:17 -0000 Sergey Matveychuk wrote: > I've got some problem with route entries that was created after ICMP > redirect messages. They are never expired. > > Our default gateway (it's a HP switch) send ICMP redirect messages if it > see a short path to destination. It's makes it not so overloaded. But > pathes sometime changed. There is no problem with Windows workstations, > they are rebooted daily. But my FreeBSD boxes hold dinamic route entries > forever. > > I've looked through RFCs and Stevens' books and found no answer on what > TTL for this entries. > Now I just add route flush as cron job. But may be there is another way? Quoting this http://www.bsdbooks.net/shells/sysctl.html, The third concept that we want to strengthen our box against is redirects. In a well-designed network, redirects to the end stations should not be required. Both the sending and accepting of redirects should be disabled. Again to achieve this first run the command and then add to /etc/rc.conf: #sysctl -w net.inet.icmp.drop_redirect=1 #sysctl -w net.inet.icmp.log_redirect=1 #sysctl -w net.inet.ip.redirect=0 #sysctl -w net.inet6.ip6.redirect=0 Best wishes, Andrew P.