Re: ICMP redirects

To: debian-firewall@lists.debian.org
Subject: Re: ICMP redirects
From: Gian Piero Carrubba <gpiero@rm-rf.it>
Date: Sat, 24 Aug 2013 12:18:04 +0200
Message-id: <[🔎] 20130824101804.GA7620@caimano.fdc.rm-rf.it>
In-reply-to: <[🔎] 52186BAE.1000102@oles.biz>
References: <[🔎] 52186BAE.1000102@oles.biz>

* [Sat, Aug 24, 2013 at 11:15:42AM +0300] Georgi Naplatanov:

Hi, I want my machine to ignore ICMP redirects in Debian Wheezy(Linux kernel)
Does

net.ipv4.conf.all.accept_redirects = 0

in /etc/sysctl.conf make kernel to ignore ICMP redirects for all interfaces

or
1) do I have to set it for particular interface likenet.ipv4.conf.eth0.accept_redirects = 0
or

2) do I have to set a rule in iptables like

iptables -A INPUT -i eth0 -p icmp --icmp-type 5 -j DROP

Using sysctl vs. iptables is probably a matter of taste. I usuallyprefer the former but often includes rules for the latter in order notto be hit when porting the packet filtering script to another host.As for the accept_redirects sys parameter, the following is fromDocumentation/networking/ip-sysctl.txt.gz (kernel 3.10):


accept_redirects - BOOLEAN
    Accept ICMP redirect messages.
    accept_redirects for the interface will be enabled if:
    - both conf/{all,interface}/accept_redirects are TRUE in the case
      forwarding for the interface is enabled
    or

- at least one of conf/{all,interface}/accept_redirects is TRUE inthe case forwarding for the interface is disabled

    accept_redirects for the interface will be disabled otherwise
    default TRUE (host)
            FALSE (router)

Ciao,
Gian Piero.

Reply to:

References:
- ICMP redirects
  - From: Georgi Naplatanov <gosho@oles.biz>

Prev by Date: ICMP redirects
Previous by thread: ICMP redirects
Index(es):
- Date
- Thread