From owner-freebsd-security  Fri Jun 11 10:28:35 1999
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 7F1F914D0B
	for <freebsd-security@FreeBSD.ORG>; Fri, 11 Jun 1999 10:28:31 -0700 (PDT)
	(envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.1) id TAA66009;
	Fri, 11 Jun 1999 19:28:27 +0200 (CEST)
	(envelope-from des)
To: "Richard Childers" <rchilders@hamquist.com>
Cc: "Dmitriy Bokiy" <ratebor@cityline.ru>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: Newbie questions: DoS & xinetd
References: <18819.990610@cityline.ru> <37600E33.9A11E641@hamquist.com>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 11 Jun 1999 19:28:27 +0200
In-Reply-To: "Richard Childers"'s message of "Thu, 10 Jun 1999 12:12:51 -0700"
Message-ID: <xzpvhcuejes.fsf@flood.ping.uio.no>
Lines: 31
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Richard Childers" <rchilders@hamquist.com> writes:
> For instance, if I wanted to search for all occurrences of the string
> "net.inet.ip.redirect", I would do:
> 
> 	# find / -type f -exec grep -i "net.inet.ip.redirect" {} \; -print

Which starts a grep process for every file on disk, which - needless
to say - is extremely inefficient. Use xargs.

Anyway, there is no need to use find(1) to find information about
net.inet.ip.redirect. Just:

$ cd /sys/netinet
$ grep 'SYSCTL.*redirect' *.c

will give you the name of the source file where the variable is
defined (ip_input.c, which I or any other kernel hacker could've told
you without even needing grep). A quick scan of that file would show
you that this sysctl variable controls *sending* redirects. As for
receiving them, incoming ICMP packets are handled in ip_icmp.c (also
in /sys/netinet). They are always honored, and the only way to avoid
honoring them is to run a firewall. A good rule is to block all ICMP
except types 0,3,8,11. The paranoid will want to block 0 and 8 as
well. Blocking 11 prevents traceroute(8) from working, but should not
have any adverse effects on performance (I don't know of any place on
the globe with is more than 64 hops away from me). Blocking 3
(UNREACH) is usually a bad idea.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message