[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-tech-net
Subject:    Re: Ignore incoming ICMP redirect packets
From:       Jonathan Stone <jonathan () DSG ! Stanford ! EDU>
Date:       2000-02-19 21:45:08
[Download RAW message or body]


Matthias Scheler wries:

>        Manuel Bouyer <bouyer@antioche.lip6.fr> writes:
>> A sysctl net.inet.ip.acceptredirects would be nice.

>Yes, indeed. IPF works fine - thanks for the filter rule Darren - but
>is an overkill just to ignore ICMP redirects.


The Freebsd 4.0 snapshot release notes say:


FB40> Support has been added for blocking incoming ICMP redirects, outgoing RST
FB40> frames and incoming SYN|FIN frames in order to lessen or nullify the
FB40> impact of certain kinds of DoS attacks. [MERGED]
FB40> 
FB40> Support has been added for forwarding IP datagrams without inspecting or
FB40> decreasing the TTL in order to make gateways and firewalls less visible

Any chance we could use the same sysctl name(s)?  I cant tell if this
means blocking redirects for hosts that aren't routers. If so,
that sounds like a separate function.


The RST frame blocking and SYN!FIN blocking sound interesting too.

[prev in list] [next in list] [prev in thread] [next in thread]