At 15:56 19/04/01 +0200, Daniel Mester wrote:
>Hey all,
>i am just wondering - is 'ip redirect' (or icmp redirection) has some
>known security issues?
If you fall in the large actegory of people having a FW connected to only
one external router, your FW is not supposed to get ICMP redirects
from the outside. so there's no reason to let'em pass.
The problem with icmp redir is if a malicious entity manages to make you
send packets using a maliciously chosen route where passive and/or active
attacks can be performed.
*BSD systems have a system wide parameters to drop or log icmp redirects
(sysctl with net.inet.icmp.[drop_redirect, log_redirect).
>Is it safe to leave it on external interfaces?
If there's a place to drop it, that's the external interface!
(unless your FW mission is to protect the internet from
your insiders:)
>Any links are greatly appreciated.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
