Bug 14350
| Summary: | Security enhancement to ICMP | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | aledm <aledm> | ||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | 3.2-RELEASE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
On Fri, Oct 15, 1999 at 04:03:28PM +0100, aledm@alice.net.uk wrote: > > User wanted to disable sending of replies to ICMP Timestamp requests > FreeBSD has no knob to control this. > What's wrong with ipfw(8)'s `deny icmp from any to any icmptype 14'? -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age State Changed From-To: open->closed The suggested fix seems reasonable; instead of adding sysctl knobs to finely control ICMP generation, a packet filter should be used instead. |
User wanted to disable sending of replies to ICMP Timestamp requests Fix: I implemented this knob; I defaulted it to "don't reply" which is permitted by RFC1122 ("A host MAY implement Timestamp and Timestamp Reply." p.43) Personally I'd probably leave it enabled on systems I run. How-To-Repeat: FreeBSD has no knob to control this.