Re: ICMP redirects

* [Sat, Aug 24, 2013 at 11:15:42AM +0300] Georgi Naplatanov:
>Hi, I want my machine to ignore ICMP redirects in Debian Wheezy
>(Linux kernel)
>
>Does
>
>net.ipv4.conf.all.accept_redirects = 0
>
>in /etc/sysctl.conf make kernel to ignore ICMP redirects for all interfaces
>
>or
>
>1) do I have to set it for particular interface like
>net.ipv4.conf.eth0.accept_redirects = 0
>
>or
>
>2) do I have to set a rule in iptables like
>
>iptables -A INPUT -i eth0 -p icmp --icmp-type 5 -j DROP

Using sysctl vs. iptables is probably a matter of taste. I usually
prefer the former but often includes rules for the latter in order not
to be hit when porting the packet filtering script to another host.
As for the accept_redirects sys parameter, the following is from
Documentation/networking/ip-sysctl.txt.gz (kernel 3.10):

accept_redirects - BOOLEAN
Accept ICMP redirect messages.
accept_redirects for the interface will be enabled if:
- both conf/{all,interface}/accept_redirects are TRUE in the case
forwarding for the interface is enabled
or
- at least one of conf/{all,interface}/accept_redirects is TRUE in
the case forwarding for the interface is disabled
accept_redirects for the interface will be disabled otherwise
default TRUE (host)
FALSE (router)

Ciao,
Gian Piero.


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20130824101804.GA7620@caimano.fdc.rm-rf.it