Date: 13 Jun 1999 12:50:06 +0200 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: Nicholas Brawn <ncb@zip.com.au> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Richard Childers <rchilders@hamquist.com>, Dmitriy Bokiy <ratebor@cityline.ru>, freebsd-security@FreeBSD.ORG Subject: Re: Newbie questions: DoS & xinetd Message-ID: <xzpvhcsxtlt.fsf@flood.ping.uio.no> In-Reply-To: Nicholas Brawn's message of "Sat, 12 Jun 1999 13:20:21 %2B1000 (EST)" References: <Pine.LNX.4.05.9906121313250.7720-100000@zipper.zip.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Nicholas Brawn <ncb@zip.com.au> writes: > For those interested, here is a patch to /sys/netinet/ip_icmp.c that will > enable the dropping of icmp redirects without requiring the use of IPFW or > IPFilter (although it's a good idea to run either one of them). Here's a better patch: Index: src/sys/netinet/ip_icmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.34 diff -u -r1.34 ip_icmp.c --- ip_icmp.c 1999/03/06 23:10:42 1.34 +++ ip_icmp.c 1999/06/13 10:41:47 @@ -69,6 +69,14 @@ SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); +static int logredirect = 0; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, logredirect, CTLFLAG_RW, + &logredirect, 0, ""); + +static int dropredirect = 0; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, dropredirect, CTLFLAG_RW, + &dropredirect, 0, ""); + #ifdef ICMP_BANDLIM /* @@ -462,6 +470,15 @@ return; case ICMP_REDIRECT: + if (logredirect) { + char from[4 * sizeof "123"], dst[4 * sizeof "123"]; + strcpy(from, inet_ntoa(icp->ip_src)); + strcpy(dst, inet_ntoa(icp->icmp_ip.ip_dst)); + printf("icmp_redirect from %s: %s => %s\n", + from, dst, inet_ntoa(icp->icmp_gwaddr)); + } + if (dropredirect) + break; if (code > 3) goto badcode; if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) || Index: src/etc/rc.network =================================================================== RCS file: /home/ncvs/src/etc/rc.network,v retrieving revision 1.47 diff -u -r1.47 rc.network --- rc.network 1999/06/08 13:00:30 1.47 +++ rc.network 1999/06/13 10:48:08 @@ -164,6 +164,16 @@ echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null fi + + if [ "X$icmp_dropredirect" = X"YES" ]; then + echo -n ' ignore ICMP redirect=YES' + sysctl -w net.inet.icmp.dropredirect=1 >/dev/null + fi + + if [ "X$icmp_logredirect" = X"YES" ]; then + echo -n ' log ICMP redirect=YES' + sysctl -w net.inet.icmp.logredirect=1 >/dev/null + fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' Index: src/etc/defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.10 diff -u -r1.10 rc.conf --- rc.conf 1999/06/05 05:45:57 1.10 +++ rc.conf 1999/06/13 10:44:09 @@ -42,6 +42,8 @@ tcp_extensions="NO" # Set to Yes to turn on RFC1323 extensions. log_in_vain="NO" # Disallow bad connection logging (or YES). tcp_keepalive="YES" # Kill dead TCP connections (or NO). +icmp_dropredirect="NO" # Set to YES to ignore ICMP REDIRECT packets +icmp_logredirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="lo0" # List of network interfaces (lo0 is loopback). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. #ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpvhcsxtlt.fsf>