This one time, at band camp, martin f krafft said: > also sprach Stephen Gran <sgran@debian.org> [2006.11.03.1227 +0100]: > > > net.ipv4.conf.all.accept_redirects = 0 > > > > That looks like overkill, see below. > > Right, it may not be needed, but it's probably not overkill to > disable a feature, is it? :) > > I do the above on all my machines. > > > No. icmp redirect is only honored when it redirects to another host in > > your subnet. Unless you have a really large subnet, this looks like > > nonsense. The kernel will ignore it if it redirects you outside of your > > subnet. > > So is this what these messages are about, and would it look > different if someone tried a valid redirect that would be ignored > due to my configuration? > > Sorry, I currently only have one functional machine in my test > network. :/ I see them at one installation at work. There, the gateway is 10.103.4.3 or something, but some machines have their gateway still set to the old router, 10.103.4.1. When packets arrive at .1 for an internet site, .1 sends an icmp redirect to tell them to use .3 instead, and they do. This is correct behavior by all parties. It's some wasted network traffic, and we're cleaning it up as we notice it, but it's harmless overall. I'm not sure that answers your question, though. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature