On Apr 1, 2009, at 12:12 AM, Grace Tang wrote:
Hi,
Is it possible on snv to disable ICMP echo reply without any firewalls
or IPfilters?
No, there isn't. This is exactly what ipfilter is for...
I tried 'ndd -set /dev/ip ip_respond_to_echo_multicast 0' and 'ndd -
set
/dev/ip ip_respond_to_echo_broadcast 0'. They didn't work.
Note that the latter is for *broadcasts* ... ie, the destination of a
echo request is the broadcast address of the applicable subnet. By
default, responding to these is off anyhow. To see why, googling
"smurf attack" will let you know.
In short - any packet filtering, and certainly any unicast packet
filtering, is done with ipfilter. There is no other mechanism to block
these other than using blackhole routes, and those do not discern
packet types.
/dale
_______________________________________________
networking-discuss mailing list
[email protected]
