Date: Sat, 30 Jan 1999 00:09:07 -0800 (PST) From: shipley@dis.org To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: shipley@dis.org, cyber@dis.org Subject: kern/9791: enhancement for netinet/ip_icmp.c to control ping responses Message-ID: <199901300809.AAA01151@dipshit.dis.org>
next in thread | raw e-mail | index | archive | help
>Number: 9791
>Category: kern
>Synopsis: enhancement for netinet/ip_icmp.c to control ping responses
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sat Jan 30 00:20:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Peter Shipley
>Release: FreeBSD 3.0-RELEASE i386
>Organization:
KPMG
>Environment:
Network based FreeBSD systems with security concerns
>Description:
These are patches to FreeBSD 3.0-RELEASE to add an option
(satable via sysctl) to disallow pings (ICMP_ECHO) to all
systems or restrict just to hosts in the local network.
This can be set by modifying net.inet.icmp.icmpechosecurity
with sysctl;
0 = normal operation
1 = reply to localnet pings
2 = ignore everyone
That is, if net.inet.icmp.icmpechosecurity is set to 0 (default)
the system will respond to pings in a normal manner
If net.inet.icmp.icmpechosecurity=1 the system will respond to
pings originating from the localnet (as defined by the systems
ipaddress and netmask).
If net.inet.icmp.icmpechosecurity=2 the system will ignore all pings
The reason for this is to enhance security on the system
(I have written a user level program (pingd) that I will
release to the ports collection in a week or so that will
handle pings for local system as well a "proxy" them for
system behind a firewall. This enhancement will be required
for this system to function optimally)
>How-To-Repeat:
>Fix:
*** netinet/ip_icmp.c.orig Fri Jan 29 03:29:29 1999
--- netinet/ip_icmp.c Fri Jan 29 19:20:20 1999
***************
*** 73,78 ****
--- 73,96 ----
SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho,
0, "");
+ /*
+ * 0 = normally operation
+ * 1 = reply to localnet pings
+ * 2 = ignore everyone
+ *
+ * negative values are considered 0
+ * values greater then 2 are evaluated as 2
+ *
+ * In theory this may be better done as a bitmask then merged
+ * with icmpbmcastecho but I did not want to break things
+ * <shipley@dis.org>
+ */
+
+ static int icmpechosecurity = 0;
+ SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmpechosecurity, CTLFLAG_RW,
+ &icmpechosecurity, 0, "");
+
+
#ifdef ICMPPRINTFS
int icmpprintfs = 0;
#endif
***************
*** 379,384 ****
--- 397,423 ----
icmpstat.icps_bmcastecho++;
break;
}
+
+ if ( icmpechosecurity >= 2 ) {
+ /* reject all */
+ break;
+ } else if ( icmpechosecurity == 1 ) {
+
+ /* get netmask */
+ ia = (struct in_ifaddr *)ifaof_ifpforaddr(
+ (struct sockaddr *)&icmpdst, m->m_pkthdr.rcvif);
+ if (ia == 0 || ia->ia_ifp == 0) {
+ break;
+ }
+
+ /* test if there src address is on our subnet */
+ if ((ip->ip_src.s_addr & ia->ia_sockmask.sin_addr.s_addr) !=
+ (ip->ip_dst.s_addr & ia->ia_sockmask.sin_addr.s_addr)) {
+ break;
+ }
+ } /* fall through if reply is OK */
+
+ /* thus icmpechosecurity <= 0 */
icp->icmp_type = ICMP_ECHOREPLY;
goto reflect;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901300809.AAA01151>