From owner-freebsd-questions Tue Aug 17 3:48:38 1999 Delivered-To: freebsd-questions@freebsd.org Received: from dialup124.zpr.uni-koeln.de (1-106.K.dial.o-tel-o.net [212.144.1.106]) by hub.freebsd.org (Postfix) with ESMTP id 9D73D14DBE; Tue, 17 Aug 1999 03:48:33 -0700 (PDT) (envelope-from se@zpr.uni-koeln.de) Received: by dialup124.zpr.uni-koeln.de (Postfix, from userid 200) id 600DFD56; Tue, 17 Aug 1999 11:38:30 +0200 (CEST) Date: Tue, 17 Aug 1999 11:38:27 +0200 From: Stefan Esser To: Ed Baxter Cc: freebsd-questions@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG, Stefan Esser Subject: Re: how to stop route redirects Message-ID: <19990817113827.A530@dialup124.zpr.uni-koeln.de> Reply-To: se@freebsd.org References: <9908161526560P.13614@redhat> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <9908161526560P.13614@redhat>; from Ed Baxter on Mon, Aug 16, 1999 at 03:15:28PM -0700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 1999-08-16 15:15 -0700, Ed Baxter wrote: Route redirect is based on ICMP. See "man ipfw" (or "man ipf") and referred man-pages for the packet filter extensions that allow blocking of all or specific ICMP redirect messages. If you are running a recent -current (After August 10th), then you can control how the kernel reacts on ICMP redirect packets: net.inet.icmp.log_redirect: 0 net.inet.icmp.drop_redirect: 0 Use "sysctl -w net.inet.icmp.drop_redirect=1" to ignore all ICMP redirects (possibly after prior logging, if "log_riderects" == 1. (You may want to merge that code into -stable, else: cd /sys/netinet cvs up -kk -j 1.35 ip_icmp.c Or apply the patch at the end of this file to just add the "drop" feature to -stable ...) Regards, STefan Index: ip_icmp.c =================================================================== RCS file: /usr/cvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.33.2.1 diff -u -2 -r1.33.2.1 ip_icmp.c --- ip_icmp.c 1999/03/06 23:11:41 1.33.2.1 +++ ip_icmp.c 1999/08/17 09:36:45 @@ -70,4 +70,8 @@ &icmpmaskrepl, 0, ""); +static int drop_redirect = 0; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW, + &drop_redirect, 0, ""); + #ifdef ICMP_BANDLIM @@ -463,4 +467,6 @@ case ICMP_REDIRECT: + if (drop_redirect) + break; if (code > 3) goto badcode; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message