[ipv6hackers] IPv6 security presentation at Hack.lu 2011

fred fred at fredbovy.com
Sat Oct 1 17:23:58 CEST 2011


Hehe! It seems that I did not ask such a stupid question about icmp
redirect :-)

Thanks for all the answers, it really helps!

Fred 




Le 01/10/2011 13:31, « Markus Reschke » <madires at theca-tabellaria.de> a
écrit :

>On Sat, 1 Oct 2011, Marc Heuse wrote:
>
>Hi Marc!
>
>>> For linux just add following to sysctl.conf:
>>> net.ipv4.conf.default.accept_redirects=0
>>> net.ipv4.conf.all.accept_redirects=0
>>> net.ipv6.conf.default.accept_redirects=0
>>> net.ipv6.conf.all.accept_redirects=0
>>
>> everybody thinks this works - but it does not.
>> .all. does not change any configuration. you *must* configure the
>> interfaces individually.
>>
>> so
>> net.ipv4.conf.eth0.accept_redirects=0
>> net.ipv4.conf.eth1.accept_redirects=0
>> etc.
>>
>> I know its hard to believe, so verify it for yourself :-)
>
>If you check the interface specific settings with sysctl, you'll see
>something like (that's right!):
>
>net.ipv4.conf.all.accept_redirects=0
>net.ipv4.conf.eth0.accept_redirects = 1
>net.ipv4.conf.eth1.accept_redirects = 1
>
>But please read Documentation/networking/ip-sysctl.txt in the kernel
>source:
>
>accept_redirects - BOOLEAN
>   Accept ICMP redirect messages.
>   accept_redirects for the interface will be enabled if:
>   - both conf/{all,interface}/accept_redirects are TRUE in the case
>     forwarding for the interface is enabled
>   or
>   - at least one of conf/{all,interface}/accept_redirects is TRUE in
>     the case forwarding for the interface is disabled
>     accept_redirects for the interface will be disabled otherwise
>     default TRUE (host)
>             FALSE (router)
>
>If packet forwarding is enabled the "all" setting 0 disables that feature
>for the interface, even if accept_redirects is enabled for the interface
>(logical AND). If packet forwarding is disabled it's a logical OR. In
>that 
>case you need to set "all" and the interface to 0.
>
>And for IPv6:
>accept_redirects - BOOLEAN
>   Accept Redirects.
>
>   Functional default: enabled if local forwarding is disabled.
>                       disabled if local forwarding is enabled.
>
>I don't know if that's really the case, since there is also an "all" for
>IPv6 and it doesn't make much sense to treat that feature different for
>v4 and v6.
>
>Best regards,
>  Markus
>-- 
>/ Markus Reschke \ / madires at theca-tabellaria.de \ / FidoNet 2:244/1661 \
>\                / \                             / \                    /
>_______________________________________________
>Ipv6hackers mailing list
>Ipv6hackers at lists.si6networks.com
>http://lists.si6networks.com/listinfo/ipv6hackers





More information about the Ipv6hackers mailing list