SUMMARY: minor correction to SUMMARY: Preventing ICMP redirects

From: Williams, David J <David.J.Williams_at_au.faulding.com>
Date: Wed, 28 Mar 2001 11:42:02 +0930

On Fri, 23 Mar 2001 Derk Tegeler posted a summary entitled SUMMARY:
Preventing ICMP redirects.

I found this posting very helpful, but also found an error that I thought
should be corrected.

The dbx assign command is not permanent and any changes made with the dbx
assign command will be lost after a system reboot.

The dbx patch command on the other hand is permanent, so to speak, and any
changes made with the dbx patch command will remain after a system reboot.
Of course, you'll need to reapply any changes if you regenerate/recompile
the kernel.

I found the following excerpt on the Compaq Tru64 UNIX 4.0F Documentation
(AG-QTMBE-BS) cdrom:

----------------------------------------------------------------------------

----
Use the dbx patch command to modify the current (run-time) values of kernel
variables. The values you assign by using the dbx patch command are lost
when you rebuild the kernel. 
Notes
If possible, use the sysconfig command or the Kernel Tuner to modify
subsystem attributes instead of using dbx to modify kernel variables. Do not
specify erroneous values for kernel variables, because system behavior may
be unpredictable. If you want to modify a variable, use only the recommended
values described in this manual. 
The following example of the dbx patch command changes the current value of
the cluster_consec_init variable to 8: 
# /usr/ucb/dbx -k /vmunix /dev/mem 
(dbx) patch cluster_consec_init = 8
32767
(dbx)
To ensure that the system is utilizing a new kernel variable value, reboot
the system. See the Programmer's Guide for detailed information about the
dbx debugger. 
You can also use the dbx assign command to modify run-time kernel variable
values. However, the modifications are lost when you reboot the system. 
----------------------------------------------------------------------------
----
So, if you want the change Derk describes below to remain after system
reboots,
you should use the patch command rather than the assign command:
dbx -k /vmunix
...
(dbx) patch icmp_rejectcodemask=0x20
32
(dbx)
Below is Derk's original SUMMARY posting:
----------------------------------------------------------------------------
----
----------------------------------------------------------------------------
----
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
SUMMARY: Preventing ICMP redirects
----------------------------------------------------------------------------
----
To: "'tru64-unix-managers_at_xxxxxxxx'" <tru64-unix-managers_at_xxxxxxxx> 
Subject: SUMMARY: Preventing ICMP redirects 
From: Derk Tegeler <derk.tegeler_at_xxxxxx> 
Date: Fri, 23 Mar 2001 14:33:36 +0100 
Cc: Tjeerd van Lemel <tjeerd.van.lemel_at_xxxxxx>, Teco Boot
<teco.boot_at_xxxxxx>,Marco Warnier <marco.warnier_at_xxxxxx> 
Delivered-to: tru64-unix-managers_at_sws1.ctd.ornl.gov 
Followup-to: poster 
Sender: tru64-unix-managers-owner_at_xxxxxxxx 
----------------------------------------------------------------------------
----
With thanks to Bryan Lavelle for the dbx part.
The problem: many network devices that may act as router believe that they
are alone (Brands Apollo access server, some 3com devices,...) and broadcast
ICMP-redirect packets, thus modifying the default route on hosts. Although
the ICMP-redirect mechanism is correct behaviour from a host point of vue it
is a many cases not desired and is a security risk.
The solution: on a running kernel set icmp_rejectcodemask=0x20 as follows
dbx -k /vmunix
...
(dbx) assign icmp_rejectcodemask=0x20
32
(dbx)
An alternative to the above is to use "patch" instead of "assign", making
the modification impermanent, i.e. the kernel will resume normal behaviour
at the next reboot.
The ICMP_REDIRECT bit is the 6th bit in the icmp part of the IP header (bit
number 5). By setting the 6th bit in the mask above, the kernel will reject
(ignore, drop) all icmp redirect packets.
Regards,
Derk Tegeler
-----Original Message-----
From: Derk Tegeler [mailto:derk.tegeler_at_cmg.nl]
Sent: Friday, March 23, 2001 10:09
To: 'tru64-unix-managers_at_ornl.gov'
Subject: Preventing ICMP redirects
Hi,
Does anybody know how to prevent ICMP-redirect from modifying a default
(static) route?
Note the M flag on the default route, in the routing table below.
PS: t64 v4.0f
Regards,
Derk Tegeler
# netstat -rn
Routing tables
Destination      Gateway            Flags     Refs     Use  Interface
Netmasks:
Inet             0.0.0.0
Inet             255.255.255.0
Route Tree for Protocol Family 2:
default          192.168.102.233    UGMS        2   108267  tu0
...
----------------------------------------------------------------------------
----
Prev by Date: SUMMARY: OpenSSH with kth-Kerberos 
Next by Date: Status on the RA3000 Support in a non-cluster environment 
Prev by thread: SUMMARY: OpenSSH with kth-Kerberos 
Next by thread: Status on the RA3000 Support in a non-cluster environment 
Index(es): 
Date 
Thread 
----------------------------------------------------------------------------
----
David J Williams
Technical Specialist
Information Services
F H Faulding & Co Limited
Tel: +61 8 8209 2624/ Fax: +61 8 8285 7736
mailto:david.j.williams_at_au.faulding.com
http:www.faulding.com
 

Received on Wed Mar 28 2001 - 02:14:14 NZST