On Tue, Feb 21, 2012 at 02:23:19PM -0500, Simon Deziel wrote: > On 12-02-21 01:57 PM, Alberto Gonzalez Iniesta wrote: > > On Tue, Feb 21, 2012 at 01:46:51PM -0500, Simon Deziel wrote: > >> On 12-02-21 11:41 AM, Teodor MICU wrote: > >>> This is a hack anyway. How about dealing with this properly with some > >>> code in OpenVPN? If I were you I would propose this to upstream > >>> developers. > >> > >> Upstream (EugeneKay on #openvpn) expressed that they were not inclined > >> to make those changes. They suggest to filter those bogus ICMP redirects > >> at the firewall level. IMHO, avoiding the generation of those bogus ICMP > >> redirects is cleaner and I still think the init script should take care > >> of this. > >> > >> @Alberto, may I ask your opinion on this one ? > > > > Hi, > > > > I'd like to give this a second thought (kfreebsd compatibility worries > > me too) > > I'm also for portability and wouldn't mind using sysctl instead of > relying on proc files. I think the following procedure relying on sysctl > would provide effectively turn off redirects for dynamically and > statically created tun devices : > > 1) Set net.ipv4.conf.all.send_redirects = 0 > 2) Save net.ipv4.conf.default.send_redirects value > 3) Set net.ipv4.conf.default.send_redirects = 0 > 4) Call the daemon to create the tun > 5) Restore net.ipv4.conf.default.send_redirects initial value > > Is this better ?
Sounds good :-) Could you try it, please? I don't have a setup with that issue right now. > > How about suggesting (i.e. in README.Debian) inserting that piece of > > shell you sent in "up" scripts for those people using tun + subnet? > > > > May be including it as /usr/share/openvpn/examples/avoid_redirects.sh > > so people could just "source" it in their "up" script? > > All my VPNs run with uid != root and are also chroot'ed so an "up" > script is not going to help. ACK Thanks, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org