Thanks all,
>Yes, the issues are, that it is trivial to fake, allowing everyone on
your
>network to reconfigure your routing tables. On the Internal Network
this
>might be OK (actually RIP isnt more secure). Personally I like ICMP
>redirects on smaller internal Networks as a good routing solution. On
>external Network Interfaces I don't see a big win by letting it
enabled. Do
>you have more than one gateway and are unable to configure your routing
>static?
This is exactly the point. I need different gateway for qa lab inside of
internal net.
>There is an default option for letting ICMP redirects only be send by
the
>Gateways. This is fine, preventing a bit more accidential messing with
your
>routing table.
This is a gateway - so i suppose it's OK> :)
>Greetings
>Bernd
>--
> (OO) -- [EMAIL PROTECTED] --
> ( .. ) ecki@{inka.de,linux.de,debian.org}
http://home.pages.de/~eckes/
> o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
>(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir
cevinpl!
>If you fall in the large actegory of people having a FW connected to
only
>one external router, your FW is not supposed to get ICMP redirects
>from the outside. so there's no reason to let'em pass.
>The problem with icmp redir is if a malicious entity manages to make
you
>send packets using a maliciously chosen route where passive and/or
active
>attacks can be performed.
>*BSD systems have a system wide parameters to drop or log icmp
redirects
>(sysctl with net.inet.icmp.[drop_redirect, log_redirect).
Fortunately - it's FreeBSD (4.2 stable) running - so i will log it. :-)
>>Is it safe to leave it on external interfaces?
>If there's a place to drop it, that's the external interface!
>(unless your FW mission is to protect the internet from
>your insiders:)
>>Any links are greatly appreciated.
>cheers,
>mouss
---------------------------------------------------------------------
Daniel Mester
Portal Technologies Manager
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
