Date: Sat, 12 Jun 1999 13:20:21 +1000 (EST) From: Nicholas Brawn <ncb@zip.com.au> To: Dag-Erling Smorgrav <des@flood.ping.uio.no> Cc: Richard Childers <rchilders@hamquist.com>, Dmitriy Bokiy <ratebor@cityline.ru>, freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd Message-ID: <Pine.LNX.4.05.9906121313250.7720-100000@zipper.zip.com.au> In-Reply-To: <xzpvhcuejes.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11 Jun 1999, Dag-Erling Smorgrav wrote: > will give you the name of the source file where the variable is > defined (ip_input.c, which I or any other kernel hacker could've told > you without even needing grep). A quick scan of that file would show > you that this sysctl variable controls *sending* redirects. As for > receiving them, incoming ICMP packets are handled in ip_icmp.c (also > in /sys/netinet). They are always honored, and the only way to avoid > honoring them is to run a firewall. A good rule is to block all ICMP > except types 0,3,8,11. The paranoid will want to block 0 and 8 as > well. Blocking 11 prevents traceroute(8) from working, but should not > have any adverse effects on performance (I don't know of any place on > the globe with is more than 64 hops away from me). Blocking 3 > (UNREACH) is usually a bad idea. For those interested, here is a patch to /sys/netinet/ip_icmp.c that will enable the dropping of icmp redirects without requiring the use of IPFW or IPFilter (although it's a good idea to run either one of them). *** ip_icmp.c.orig Wed Jun 2 15:06:02 1999 --- ip_icmp.c Wed Jun 2 15:23:51 1999 *************** *** 42,47 **** --- 42,48 ---- #include <sys/time.h> #include <sys/kernel.h> #include <sys/sysctl.h> + #include <sys/syslog.h> #include <net/if.h> #include <net/route.h> *************** *** 69,74 **** --- 70,79 ---- SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); + static int dropredirects = 0; + SYSCTL_INT(_net_inet_icmp, OID_AUTO, dropredirects, CTLFLAG_RW, + &dropredirects, 0, ""); + #ifdef ICMP_BANDLIM /* *************** *** 462,467 **** --- 467,479 ---- return; case ICMP_REDIRECT: + if (dropredirect) { + char buf[4 * sizeof "123"]; + strncpy(buf, inet_ntoa(icp->icmp_ip.ip_dst),sizeof(buf)); + log(LOG_INFO,"Received icmp redirect => dst %s to %s\n", + buf, inet_ntoa(icp->icmp_gwaddr)); + break; + } if (code > 3) goto badcode; if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) || *************** *** 484,490 **** strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst)); printf("redirect dst %s to %s\n", ! buf, inet_ntoa(icp->icmp_gwaddr)); } #endif icmpsrc.sin_addr = icp->icmp_ip.ip_dst; --- 496,502 ---- strcpy(buf, inet_ntoa(icp->icmp_ip.ip_dst)); printf("redirect dst %s to %s\n", ! buf, inet_ntoa(icp->icmp_gwaddr)); } #endif icmpsrc.sin_addr = icp->icmp_ip.ip_dst; Cheers, Nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.05.9906121313250.7720-100000>