Date: Sun, 20 Sep 1998 17:43:48 +0200 From: sthaug@nethelp.no To: tlambert@primenet.com Cc: rotel@indigo.ie, hackers@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: problem using 3 x znyx314 cards for 12 de ethernets Message-ID: <19545.906306228@verdi.nethelp.no> In-Reply-To: Your message of "Fri, 18 Sep 1998 03:11:14 %2B0000 (GMT)" References: <199809180311.UAA00693@usr04.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > These are different issues, someone can be partly responsible for
> > a smurf attack without ever realising it and (more importantly)
> > without _their_ security/quality of service being compromised. I
> > don't care how many boxes get hacked as long as they aren't mine,
> > but it's reasonable to complain about a configuration which makes
> > it too easy for script kiddies to exploit the ineptitude or
> > carelessness of admins to affect _other_ competant and careful
> > admins boxes.
> >
> > It's akin to shipping sendmail with open relaying.
>
> If you want a C2 hardened system, quit pussyfooting around and start
> addressing the real issues leading up to C2 certification. Otherwise,
> griping about something that will never happen given a correctly
> configured firewall, and which "fixing" will break a behaviour that
> is universally known to be useful, seems a bit counter-productive.
This whole discussion is moot. The default ICMP broadcast behavior for
FreeBSD was changed recently:
34c34
< * $Id: ip_icmp.c,v 1.30 1998/05/26 11:34:30 dg Exp $
---
> * $Id: ip_icmp.c,v 1.31 1998/09/15 10:49:03 jkoshy Exp $
72c72
< static int icmpbmcastecho = 1;
---
> static int icmpbmcastecho = 0;
Also, I just submitted patches to separate the broadcast and multicast
echo functionality, with the broadcast echo defaulting to off and the
multicast echo defaulting to on, as suggested by both Bill Fenner and
myself. That way the ping bombers won't have quite as easy a time with
FreeBSD boxes, and Terry Lambert will still be able to get a reply
from the FreeBSD boxes on his LAN by pinging 224.0.0.1. Everybody happy
now? :-)
Steinar Haug, Nethelp consulting, sthaug@nethelp.no
----------------------------------------------------------------------
*** ip_icmp.c.orig Tue Sep 15 12:49:03 1998
--- ip_icmp.c Sun Sep 20 16:57:40 1998
***************
*** 69,76 ****
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "");
! static int icmpbmcastecho = 0;
! SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho,
0, "");
#ifdef ICMPPRINTFS
--- 69,84 ----
SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW,
&icmpmaskrepl, 0, "");
! static int icmpbcastecho = 0;
! SYSCTL_INT(_net_inet_icmp, OID_AUTO, bcastecho, CTLFLAG_RW, &icmpbcastecho,
! 0, "");
!
! static int icmpmcastecho = 1;
! SYSCTL_INT(_net_inet_icmp, OID_AUTO, mcastecho, CTLFLAG_RW, &icmpmcastecho,
! 0, "");
!
! static int icmptstampreply = 0;
! SYSCTL_INT(_net_inet_icmp, OID_AUTO, tstampreply, CTLFLAG_RW, &icmptstampreply,
0, "");
#ifdef ICMPPRINTFS
***************
*** 374,381 ****
break;
case ICMP_ECHO:
! if (!icmpbmcastecho
! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
icmpstat.icps_bmcastecho++;
break;
}
--- 382,394 ----
break;
case ICMP_ECHO:
! if (!icmpbcastecho
! && (m->m_flags & M_BCAST) != 0) {
! icmpstat.icps_bmcastecho++;
! break;
! }
! if (!icmpmcastecho
! && (m->m_flags & M_MCAST) != 0) {
icmpstat.icps_bmcastecho++;
break;
}
***************
*** 383,393 ****
goto reflect;
case ICMP_TSTAMP:
! if (!icmpbmcastecho
! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) {
! icmpstat.icps_bmcasttstamp++;
break;
- }
if (icmplen < ICMP_TSLEN) {
icmpstat.icps_badlen++;
break;
--- 396,403 ----
goto reflect;
case ICMP_TSTAMP:
! if (!icmptstampreply)
break;
if (icmplen < ICMP_TSLEN) {
icmpstat.icps_badlen++;
break;
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19545.906306228>