| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Jan 2016 10:31:51 +0100
From: Robert Sander <r.sander@...nlein-support.de>
To: netfilter@...r.kernel.org, netdev@...r.kernel.org
Subject: Configure ICMP error source address
Hi,
It is possible to change the source address of ICMP error messages
generated by the kernel via
/proc/sys/net/ipv4/icmp_errors_use_inbound_ifaddr. This is currently the
only way to influence the source address as ICMP errors do not travel
through the NAT table (for obvious reasons).
We have the situation that our routers use RFC1918 addresses on their
transfer networks (which should be quite common nowadays to save on
public IPv4 addresses). ICMP errors are generated with RFC1918 source
addresses and therefor never reach the original sender.
Every router has its public IP address bound to dev lo to be reachable
even if any one interface is down. Routing protocols assure that.
Is it a good idea to develop a kernel patch that makes it possible to
select the first IPv4 address on dev lo with scope global as the source
address for ICMP errors? Would that do any harm to the Internet at large?
Regards
--
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin
http://www.heinlein-support.de
Tel: 030 / 405051-43
Fax: 030 / 405051-19
Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists