Date: 13 Jun 1999 12:50:06 +0200 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: Nicholas Brawn <ncb@zip.com.au> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Richard Childers <rchilders@hamquist.com>, Dmitriy Bokiy <ratebor@cityline.ru>, freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd Message-ID: <xzpvhcsxtlt.fsf@flood.ping.uio.no> In-Reply-To: Nicholas Brawn's message of "Sat, 12 Jun 1999 13:20:21 %2B1000 (EST)" References: <Pine.LNX.4.05.9906121313250.7720-100000@zipper.zip.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Nicholas Brawn <ncb@zip.com.au> writes:
> For those interested, here is a patch to /sys/netinet/ip_icmp.c that will
> enable the dropping of icmp redirects without requiring the use of IPFW or
> IPFilter (although it's a good idea to run either one of them).
Here's a better patch:
Index: src/sys/netinet/ip_icmp.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.34
diff -u -r1.34 ip_icmp.c
--- ip_icmp.c 1999/03/06 23:10:42 1.34
+++ ip_icmp.c 1999/06/13 10:41:47
@@ -69,6 +69,14 @@
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "");
+static int logredirect = 0;
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, logredirect, CTLFLAG_RW,
+ &logredirect, 0, "");
+
+static int dropredirect = 0;
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, dropredirect, CTLFLAG_RW,
+ &dropredirect, 0, "");
+
#ifdef ICMP_BANDLIM
/*
@@ -462,6 +470,15 @@
return;
case ICMP_REDIRECT:
+ if (logredirect) {
+ char from[4 * sizeof "123"], dst[4 * sizeof "123"];
+ strcpy(from, inet_ntoa(icp->ip_src));
+ strcpy(dst, inet_ntoa(icp->icmp_ip.ip_dst));
+ printf("icmp_redirect from %s: %s => %s\n",
+ from, dst, inet_ntoa(icp->icmp_gwaddr));
+ }
+ if (dropredirect)
+ break;
if (code > 3)
goto badcode;
if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) ||
Index: src/etc/rc.network
===================================================================
RCS file: /home/ncvs/src/etc/rc.network,v
retrieving revision 1.47
diff -u -r1.47 rc.network
--- rc.network 1999/06/08 13:00:30 1.47
+++ rc.network 1999/06/13 10:48:08
@@ -164,6 +164,16 @@
echo -n ' broadcast ping responses=YES'
sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null
fi
+
+ if [ "X$icmp_dropredirect" = X"YES" ]; then
+ echo -n ' ignore ICMP redirect=YES'
+ sysctl -w net.inet.icmp.dropredirect=1 >/dev/null
+ fi
+
+ if [ "X$icmp_logredirect" = X"YES" ]; then
+ echo -n ' log ICMP redirect=YES'
+ sysctl -w net.inet.icmp.logredirect=1 >/dev/null
+ fi
if [ "X$gateway_enable" = X"YES" ]; then
echo -n ' IP gateway=YES'
Index: src/etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.10
diff -u -r1.10 rc.conf
--- rc.conf 1999/06/05 05:45:57 1.10
+++ rc.conf 1999/06/13 10:44:09
@@ -42,6 +42,8 @@
tcp_extensions="NO" # Set to Yes to turn on RFC1323 extensions.
log_in_vain="NO" # Disallow bad connection logging (or YES).
tcp_keepalive="YES" # Kill dead TCP connections (or NO).
+icmp_dropredirect="NO" # Set to YES to ignore ICMP REDIRECT packets
+icmp_logredirect="NO" # Set to YES to log ICMP REDIRECT packets
network_interfaces="lo0" # List of network interfaces (lo0 is loopback).
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
#ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry.
DES
--
Dag-Erling Smorgrav - des@flood.ping.uio.no
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpvhcsxtlt.fsf>