On 08/21/2010 02:08 AM, Brandon Ross wrote:
On Fri, 20 Aug 2010, Ricky Beam wrote:
I think it's almost universally disabled (by default) everywhere in IPv4 purely for security (traffic interception.)
Okay, I'll ask again. Exactly how does disabling ICMP redirects on my router prevent traffic from being intercepted?
As was mentioned in an other part of the thread. You disable it on the host and if no host is using it, you might as well disable it on the router as wel. Others mentioned some routers need to handle this in software instead of hardware, which is obviously slower. It might also help you notice you have a roque host when you are looking at your network-traffic and if you know your network doesn't have any ICMP-redirects normally. disabling on the host: OpenBSD: echo net.inet.icmp.rediraccept=0 >> /etc/sysctl.conf echo net.inet6.icmp6.rediraccept=0 >> /etc/sysctl.conf sysctl net.inet.icmp.rediraccept=0 sysctl net.inet6.icmp6.rediraccept=0 FreeBSD: echo net.inet.icmp.drop_redirect=0 >> /etc/sysctl.conf echo net.inet6.icmp6.rediraccept=0 >> /etc/sysctl.conf sysctl net.inet.icmp.drop_redirect=0 sysctl net.inet6.icmp6.rediraccept=0 Linux: echo net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.conf echo net.ipv4.conf.all.send_redirects = 0 >> /etc/sysctl.conf sysctl -p /etc/sysctl.conf