From owner-freebsd-questions Mon Sep 14 16:13:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA15091 for freebsd-questions-outgoing; Mon, 14 Sep 1998 16:13:44 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA15076 for ; Mon, 14 Sep 1998 16:13:35 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 10258 invoked by uid 1001); 14 Sep 1998 23:13:17 +0000 (GMT) To: tlambert@primenet.com Cc: hackers@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: problem using 3 x znyx314 cards for 12 de ethernets In-Reply-To: Your message of "Sun, 13 Sep 1998 23:03:26 +0000 (GMT)" References: <199809132303.QAA21895@usr04.primenet.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Tue, 15 Sep 1998 01:13:17 +0200 Message-ID: <10256.905814797@verdi.nethelp.no> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > static int icmpbmcastecho = 1; > > SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho, > > 0, ""); > > > > I believe it should be turned *off* by default, and hope this is fixed > > before 3.0 is released. > > Being off by default would break SLP and IPv6 autodetection for > address assignment. When you say SLP, I assume you're talking about RFC 2165. From my reading of RFC 2165, multicast is preferred: The Service Location discovery mechanisms typically multicast messages to as many enterprise networks as needed to establish service availability. The protocol will operate in a broadcast environment with limitations detailed in section 3.6.1. It says that Service Agents must listen to the IP broadcast address, but I assume there are considerably fewer Service Agents than User Agents, and explicitly configuring them to listen to the IP broadcast address would not seem to be an undue hardship. As far as I can see, IPv6 autodetection uses multicast, not broadcast. Also, since the FreeBSD TCP/IP stack currently doesn't implement IPv6, I find it hard to use this as a very strong argument. My conclusion is that we probably need separate sysctl variables for "multicast echo" and "broadcast echo", with the former defaulting to on, and the latter to off. Yes, I volunteer to do this if there is any interest. > Certainly, you should be able to turn it off, but the correct place > to block DOS broadcast ping attacks is your firewall. I agree that this is the best place for it - but I'd also like FreeBSD systems to be secure against smurf attacks out of the box, even if the router/firewall/whatever lets IP broadcast through (and translates it to link-level broadcast). Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message