On Tue, Feb 21, 2012 at 05:36:16PM +0200, Teodor MICU wrote: > 2012/2/21 Simon Deziel <simon.dez...@gmail.com>: > > The proposed changes are about _disabling_ ICMP redirects for tun-based > > VPNs. Generally disabling send_redirects is something that should be > > handled at the distro level IMO. > > Right, your proposal is to disable them. Even so why > net.ipv4.conf.all.send_redirects and not specific tun/tap devices? > Indeed all net devices have send_redirects=1 by default. > > > FWIW, on Ubuntu, net.ipv4.conf.all.accept_redirects = 0 by default; > > don't know on Debian though. > > On Debian this entry is commented in /etc/sysctl.conf. Anyone can > remove # to disable it, but it seems this doesn't have any effect if > it is enabled on specific net devices (ie. I get ICMP redirects from > ovpn tap device). Could this be a bug in kernel?
I think I read both conf.all.accept_redirects AND conf.DEV.accept_redirects have to be switched off, didn't try it myself yet. Anyway, what worries me now is that case where "dev tun" is specified instead of "dev tunX", and how to deal with that in the new code proposed. Cheers, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org