lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20091124001230.GC14245@samad.com.au>
Date: Tue, 24 Nov 2009 11:12:30 +1100
From: Alex Samad <alex@...ad.com.au>
To: Jarek Poplawski <jarkao2@...il.com>
Cc: netdev@...r.kernel.org
Subject: Re: icmp redirects problem
On Mon, Nov 23, 2009 at 10:58:38PM +0100, Jarek Poplawski wrote:
> Alex Samad wrote, On 11/23/2009 05:31 AM:
>
[snip]
> >
> > laptop gets its ip from dchp server that make 192.168.11.1 the default
> > gateway and its 192.168.11.1 that sends out the icmp redirect.
>
> Btw, it seems you should fix your routing (by adding sydrt01's eth0
> the second ip or advertising 192.168.11.10 more) to avoid those
> redirects.
sorry I am lost on this statement, I can't add 192.168.11.10 to sydrt01
as it is not physically connected to the 192.168.10.0/24 any more, which
is why I had added the route on sydrt01 and which is why it send
icmp_rediercts.
I have updated the route table on each static machine, but the problem
is on the machines that get their ip via dhcp - I haven't looked at
pushing out route information via dhcp - I am not sure that it would
work in a mixed windows / linux environment.
what do you mean by advertising 192.168.11.10 more ?
>
> >
> > I had a quick look at the kernel tree for 2.6.31 (which is what I am
> > using).
>
> ...
>
> > Line 680
> > secure_redirects - BOOLEAN
> > 681 Accept ICMP redirect messages only for gateways,
> > 682 listed in default gateway list.
> > 683 secure_redirects for the interface will be enabled if at
> > least one of
> > 684 conf/{all,interface}/secure_redirects is set to TRUE,
> > 685 it will be disabled otherwise
> > 686 default TRUE
>
> Very helpful links. So, as you wrote "the documentation seems to suggest"
> something, and IMHO even if it doesn't, it's needlessly too concise
> considering your "lost time", and I'd suggest you sending a patch to fix
> this. (It seems it could "touch" shared_media, as well.)
Which is wrong the code or the documentation and which part the test or
the reliance on the shared_media or on the redirects flags
>
> Thanks,
> Jarek P.
>
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists