On 12-02-21 01:57 PM, Alberto Gonzalez Iniesta wrote: > On Tue, Feb 21, 2012 at 01:46:51PM -0500, Simon Deziel wrote: >> On 12-02-21 11:41 AM, Teodor MICU wrote: >>> This is a hack anyway. How about dealing with this properly with some >>> code in OpenVPN? If I were you I would propose this to upstream >>> developers. >> >> Upstream (EugeneKay on #openvpn) expressed that they were not inclined >> to make those changes. They suggest to filter those bogus ICMP redirects >> at the firewall level. IMHO, avoiding the generation of those bogus ICMP >> redirects is cleaner and I still think the init script should take care >> of this. >> >> @Alberto, may I ask your opinion on this one ? > > Hi, > > I'd like to give this a second thought (kfreebsd compatibility worries > me too)
I'm also for portability and wouldn't mind using sysctl instead of relying on proc files. I think the following procedure relying on sysctl would provide effectively turn off redirects for dynamically and statically created tun devices : 1) Set net.ipv4.conf.all.send_redirects = 0 2) Save net.ipv4.conf.default.send_redirects value 3) Set net.ipv4.conf.default.send_redirects = 0 4) Call the daemon to create the tun 5) Restore net.ipv4.conf.default.send_redirects initial value Is this better ? > How about suggesting (i.e. in README.Debian) inserting that piece of > shell you sent in "up" scripts for those people using tun + subnet? > > May be including it as /usr/share/openvpn/examples/avoid_redirects.sh > so people could just "source" it in their "up" script? All my VPNs run with uid != root and are also chroot'ed so an "up" script is not going to help. Adding it to the documentation would be a good idea if the init script approach is not retained. > Thanks both of you for your interest! I appreciate both of your input too, thanks Simon -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
