Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Aug 1999 11:38:27 +0200
From:      Stefan Esser <se@zpr.uni-koeln.de>
To:        Ed Baxter <Ed.Baxter@pii.com>
Cc:        freebsd-questions@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG, Stefan Esser <se@freebsd.org>
Subject:   Re: how to stop route redirects
Message-ID:  <19990817113827.A530@dialup124.zpr.uni-koeln.de>
In-Reply-To: <9908161526560P.13614@redhat>; from Ed Baxter on Mon, Aug 16, 1999 at 03:15:28PM -0700
References:  <9908161526560P.13614@redhat>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 1999-08-16 15:15 -0700, Ed Baxter <Ed.Baxter@pii.com> wrote:
Route redirect is based on ICMP. See "man ipfw" (or "man ipf")
and referred man-pages for the packet filter extensions that 
allow blocking of all or specific ICMP redirect messages.

If you are running a recent -current (After August 10th), then 
you can control how the kernel reacts on ICMP redirect packets:

	net.inet.icmp.log_redirect: 0
	net.inet.icmp.drop_redirect: 0

Use "sysctl -w net.inet.icmp.drop_redirect=1" to ignore all ICMP
redirects (possibly after prior logging, if "log_riderects" == 1.

(You may want to merge that code into -stable, else:

	cd /sys/netinet
	cvs up -kk -j 1.35 ip_icmp.c

Or apply the patch at the end of this file to just add the "drop"
feature to -stable ...)

Regards, STefan

Index: ip_icmp.c
===================================================================
RCS file: /usr/cvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.33.2.1
diff -u -2 -r1.33.2.1 ip_icmp.c
--- ip_icmp.c	1999/03/06 23:11:41	1.33.2.1
+++ ip_icmp.c	1999/08/17 09:36:45
@@ -70,4 +70,8 @@
 	&icmpmaskrepl, 0, "");
 
+static int	drop_redirect = 0;
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW, 
+	&drop_redirect, 0, "");
+
 #ifdef ICMP_BANDLIM 
  
@@ -463,4 +467,6 @@
 
 	case ICMP_REDIRECT:
+		if (drop_redirect)
+			break;
 		if (code > 3)
 			goto badcode;


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990817113827.A530>