route entries after ICMP redirect

Andrew P. infofarmer at mail.ru
Sun Apr 10 04:51:17 PDT 2005


Sergey Matveychuk wrote:
> I've got some problem with route entries that was created after ICMP 
> redirect messages. They are never expired.
> 
> Our default gateway (it's a HP switch) send ICMP redirect messages if it 
> see a short path to destination. It's makes it not so overloaded. But 
> pathes sometime changed. There is no problem with Windows workstations, 
> they are rebooted daily. But my FreeBSD boxes hold dinamic route entries 
> forever.
> 
> I've looked through RFCs and Stevens' books and found no answer on what 
> TTL for this entries.
> Now I just add route flush as cron job. But may be there is another way?


Quoting this http://www.bsdbooks.net/shells/sysctl.html,

The third concept that we want to strengthen our box
against is redirects. In a well-designed network,
redirects to the end stations should not be required.
Both the sending and accepting of redirects should be
disabled. Again to achieve this first run the command
and then add to /etc/rc.conf:

#sysctl -w net.inet.icmp.drop_redirect=1
#sysctl -w net.inet.icmp.log_redirect=1
#sysctl -w net.inet.ip.redirect=0
#sysctl -w net.inet6.ip6.redirect=0


Best wishes,
Andrew P.


More information about the freebsd-questions mailing list