[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Markus Reschke madires at theca-tabellaria.de
Sat Oct 1 13:31:02 CEST 2011 

On Sat, 1 Oct 2011, Marc Heuse wrote:

Hi Marc!

>> For linux just add following to sysctl.conf:
>> net.ipv4.conf.default.accept_redirects=0
>> net.ipv4.conf.all.accept_redirects=0
>> net.ipv6.conf.default.accept_redirects=0
>> net.ipv6.conf.all.accept_redirects=0
>
> everybody thinks this works - but it does not.
> .all. does not change any configuration. you *must* configure the
> interfaces individually.
>
> so
> net.ipv4.conf.eth0.accept_redirects=0
> net.ipv4.conf.eth1.accept_redirects=0
> etc.
>
> I know its hard to believe, so verify it for yourself :-)

If you check the interface specific settings with sysctl, you'll see
something like (that's right!):

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.eth0.accept_redirects = 1
net.ipv4.conf.eth1.accept_redirects = 1

But please read Documentation/networking/ip-sysctl.txt in the kernel 
source:

accept_redirects - BOOLEAN
   Accept ICMP redirect messages.
   accept_redirects for the interface will be enabled if:
   - both conf/{all,interface}/accept_redirects are TRUE in the case
     forwarding for the interface is enabled
   or
   - at least one of conf/{all,interface}/accept_redirects is TRUE in
     the case forwarding for the interface is disabled
     accept_redirects for the interface will be disabled otherwise
     default TRUE (host)
             FALSE (router)

If packet forwarding is enabled the "all" setting 0 disables that feature 
for the interface, even if accept_redirects is enabled for the interface 
(logical AND). If packet forwarding is disabled it's a logical OR. In that 
case you need to set "all" and the interface to 0.

And for IPv6:
accept_redirects - BOOLEAN
   Accept Redirects.

   Functional default: enabled if local forwarding is disabled.
                       disabled if local forwarding is enabled.

I don't know if that's really the case, since there is also an "all" for 
IPv6 and it doesn't make much sense to treat that feature different for 
v4 and v6.

Best regards,
  Markus
-- 
/ Markus Reschke \ / madires at theca-tabellaria.de \ / FidoNet 2:244/1661 \
\                / \                             / \                    /

More information about the Ipv6hackers mailing list