On 12-02-21 10:15 AM, Teodor MICU wrote: > Hi, > > 2012/2/21 Simon Deziel <[email protected]>: >>> Is this line really necessary?? >>>> + echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects >> >> Yes that is required, even if that sounds odd to me too. > > I usually disable all redirects on all Linux hosts. > | # Do not accept ICMP redirects (prevent MITM attacks) > | net.ipv4.conf.all.accept_redirects = 0 > | # Do not send ICMP redirects (we are not a router) > | net.ipv4.conf.all.send_redirects = 0 > > This is a grave bug to enable all ICMP redirects unconditionally. I > would probably understand the need to be enabled *only* on tun/tap > devices managed by OpenVPN but for a good technical reason. Care to > explain more?
The proposed changes are about _disabling_ ICMP redirects for tun-based VPNs. Generally disabling send_redirects is something that should be handled at the distro level IMO. FWIW, on Ubuntu, net.ipv4.conf.all.accept_redirects = 0 by default; don't know on Debian though. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
