Dale Ghent wrote:
On Apr 1, 2009, at 12:12 AM, Grace Tang wrote:
Hi,
Is it possible on snv to disable ICMP echo reply without any firewalls
or IPfilters?
No, there isn't. This is exactly what ipfilter is for...
I see.
I tried 'ndd -set /dev/ip ip_respond_to_echo_multicast 0' and 'ndd -set
/dev/ip ip_respond_to_echo_broadcast 0'. They didn't work.
Note that the latter is for *broadcasts* ... ie, the destination of a
echo request is the broadcast address of the applicable subnet. By
default, responding to these is off anyhow. To see why, googling
"smurf attack" will let you know.
It is "broadcast".
# ndd -set /dev/ip ip_respond_to_echo_broadcast 0
# ndd -set /dev/ip ip_respond_to_echo_broadcasts 0
name is non-existent for this module
for a list of valid names, use name '?'
#
Thanks,
- Grace
In short - any packet filtering, and certainly any unicast packet
filtering, is done with ipfilter. There is no other mechanism to block
these other than using blackhole routes, and those do not discern
packet types.
/dale
_______________________________________________
networking-discuss mailing list
[email protected]
