Prompted by an undeadly post [0]. What does anyone think about disabling acceptance of ICMP redirects by default? I had a look in a few relevant places and didn't notice any discussion about this before, but if my google/grep-fu is lacking, please point me in the right direction.
[0] http://undeadly.org/cgi?action=article&sid=20090605213724&pid=30&mode=flat Index: etc/sysctl.conf =================================================================== RCS file: /cvs/src/etc/sysctl.conf,v retrieving revision 1.46 diff -u -p -r1.46 sysctl.conf --- etc/sysctl.conf 5 Jan 2008 18:38:37 -0000 1.46 +++ etc/sysctl.conf 8 Jun 2009 15:19:57 -0000 @@ -7,6 +7,8 @@ #net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets #net.inet.ip.multipath=1 # 1=Enable IP multipath routing +#net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects +#net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets #net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6 multicast packets #net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing Index: sys/netinet/ip_icmp.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.83 diff -u -p -r1.83 ip_icmp.c --- sys/netinet/ip_icmp.c 5 Jun 2009 00:05:22 -0000 1.83 +++ sys/netinet/ip_icmp.c 8 Jun 2009 15:19:57 -0000 @@ -113,7 +113,7 @@ int icmpprintfs = 0; int icmperrppslim = 100; int icmperrpps_count = 0; struct timeval icmperrppslim_last; -int icmp_rediraccept = 1; +int icmp_rediraccept = 0; int icmp_redirtimeout = 10 * 60; static struct rttimer_queue *icmp_redirect_timeout_q = NULL; struct icmpstat icmpstat; Index: sys/netinet6/in6_proto.c =================================================================== RCS file: /cvs/src/sys/netinet6/in6_proto.c,v retrieving revision 1.57 diff -u -p -r1.57 in6_proto.c --- sys/netinet6/in6_proto.c 25 Nov 2008 12:11:45 -0000 1.57 +++ sys/netinet6/in6_proto.c 8 Jun 2009 15:19:57 -0000 @@ -299,7 +299,7 @@ u_long rip6_sendspace = RIPV6SNDQ; u_long rip6_recvspace = RIPV6RCVQ; /* ICMPV6 parameters */ -int icmp6_rediraccept = 1; /* accept and process redirects */ +int icmp6_rediraccept = 0; /* accept and process redirects */ int icmp6_redirtimeout = 10 * 60; /* 10 minutes */ struct timeval icmp6errratelim = { 0, 0 }; /* no ratelimit */ int icmp6errppslim = 100; /* 100pps */
