How to Disable ICMP Redirects in Linux for security (Redhat,Debian,Ubuntu,SuSe tested)

7 Comments

  1. Thank you very much for the information provided in this site. I have just one comment:
    I tested the command “sysctl -w net.ipv4.conf.all.accept_redirects = 0” on my computer, which runs UBUNTU 8.0.4 LTS, and it rejected this command with the following message:
    error: “net.ipv4.conf.all.send_redirects” must be of the form name=value
    error: Malformed setting “=”
    error: “0” must be of the form name=value

    The correct syntax does not allow spaces in the assignment:
    “sysctl -w net.ipv4.conf.all.send_redirects=0”

    Danillo Franscys Borges de Oliveira
  2. Danilo, the problem is that there is a typo in the tutorial, you cannot enter spaces between the “=”.

    It should be like this:
    sysctl -w net.ipv4.conf.all.accept_redirects=0

    and not:
    sysctl -w net.ipv4.conf.all.accept_redirects = 0

  3. Well, one’s first impression may well be (at least I secretly admit: mine was) “this is trivial, ain’t?”, essentially “blaming it on the user”.

    Even so, the thought-to-be-long-since-lost truth comes to tell again. This time about this nuisance, sporting the merit of having been established the de facto standard for what one may call like “software implemented double standards”. (Yeah, that’s true, a blind advocate of tyranny and/or narcism taking its place in our secure hitech system. And still they try convincing us pacing over our well-founded fears about rise of the robots! lolz)

    The thing is that both the informative, however “uncustomized” default (those “blamable” users, get it as “empty” or “meaningless” :)) conf file and the examples (read: usage help) given by sysctl binary handle the matter loosely.

    *=0
    and
    * = 0
    (see mentioned conf and “sysctl -a” for proof)
    forms are to be found in either.

    However, the binary does not accept the “spaced” version.
    (the one itself is using for listing..)

    The man page from 1999 is overly correct, if I remember well.

  4. Ah, I am etch @ 2.6.26-2-686 SMP.

    And if you ever need to disable “echo requests” (that is, those sent by “program” called “ping”), just use

    net.ipv4.icmp_echo_ignore_all=1

    in either the config file and the shell.


  5. Hi,

    How do we test the ICMP redirect packets are blocked or not.

    (ICMP Type 13 and 14 –> ICMP Timestamp request and response)


Leave a Reply

Your email address will not be published. Required fields are marked *