On 1999-08-16 15:15 -0700, Ed Baxter <[EMAIL PROTECTED]> wrote:
Route redirect is based on ICMP. See "man ipfw" (or "man ipf")
and referred man-pages for the packet filter extensions that
allow blocking of all or specific ICMP redirect messages.
If you are running a recent -current (After August 10th), then
you can control how the kernel reacts on ICMP redirect packets:
net.inet.icmp.log_redirect: 0
net.inet.icmp.drop_redirect: 0
Use "sysctl -w net.inet.icmp.drop_redirect=1" to ignore all ICMP
redirects (possibly after prior logging, if "log_riderects" == 1.
(You may want to merge that code into -stable, else:
cd /sys/netinet
cvs up -kk -j 1.35 ip_icmp.c
Or apply the patch at the end of this file to just add the "drop"
feature to -stable ...)
Regards, STefan
Index: ip_icmp.c
===================================================================
RCS file: /usr/cvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.33.2.1
diff -u -2 -r1.33.2.1 ip_icmp.c
--- ip_icmp.c 1999/03/06 23:11:41 1.33.2.1
+++ ip_icmp.c 1999/08/17 09:36:45
@@ -70,4 +70,8 @@
&icmpmaskrepl, 0, "");
+static int drop_redirect = 0;
+SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW,
+ &drop_redirect, 0, "");
+
#ifdef ICMP_BANDLIM
@@ -463,4 +467,6 @@
case ICMP_REDIRECT:
+ if (drop_redirect)
+ break;
if (code > 3)
goto badcode;
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
