* [Sat, Aug 24, 2013 at 11:15:42AM +0300] Georgi Naplatanov:
Hi, I want my machine to ignore ICMP redirects in Debian Wheezy
(Linux kernel)
Does
net.ipv4.conf.all.accept_redirects = 0
in /etc/sysctl.conf make kernel to ignore ICMP redirects for all interfaces
or
1) do I have to set it for particular interface like
net.ipv4.conf.eth0.accept_redirects = 0
or
2) do I have to set a rule in iptables like
iptables -A INPUT -i eth0 -p icmp --icmp-type 5 -j DROP
Using sysctl vs. iptables is probably a matter of taste. I usually
prefer the former but often includes rules for the latter in order not
to be hit when porting the packet filtering script to another host.
As for the accept_redirects sys parameter, the following is from
Documentation/networking/ip-sysctl.txt.gz (kernel 3.10):
accept_redirects - BOOLEAN
Accept ICMP redirect messages.
accept_redirects for the interface will be enabled if:
- both conf/{all,interface}/accept_redirects are TRUE in the case
forwarding for the interface is enabled
or
- at least one of conf/{all,interface}/accept_redirects is TRUE in
the case forwarding for the interface is disabled
accept_redirects for the interface will be disabled otherwise
default TRUE (host)
FALSE (router)
Ciao,
Gian Piero.
--
To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130824101804.ga7...@caimano.fdc.rm-rf.it
