jueves, 23 de diciembre de 2004

Deshabilitar icmp mask reply en tru64


http://www.ornl.gov/lists/mailing-lists/tru64-unix-managers/2001/03/msg00473.html

Seria hacer eso mismo, pero para el valor icmp_rejectcodemask

tal y como dice el siguiente post, siguiendo los pasos de este link:

http://h30097.www3.hp.com/docs/internet/TITLE.HTM


In article , "Jimmy Kelley"
jimmy@federated.com writes:
Is there some way to disable responses to ICMP timestamp requests in
Tru64
UNIX v 4.0f?

I checked the source code; there is indeed a way, although it takes a little
explanation.

There's a kernel global variable (in 4.0F; I'm not sure about earlier releases)
called "icmp_rejectcodemask". This is a bit mask, where each bit corresponds
to an ICMP message type code. If a bit is set, incoming messages with the
corresponding type are not handled by the ICMP protocol code (although they
ARE passed along to the raw-IP input code).

You can set multiple bits, to disable multiple ICMP types.

To disable responses to ICMP timestamp requests, for example, in C the
appropriate assignment would be:

icmp_rejectcodemask |= (1<<ICMP_TSTAMP);

Looking in /usr/include/netinet/ip_icmp.h, we find

#define ICMP_TSTAMP 13 /* timestamp request
*/

and (1<<13) = 8192.

So, to disable responses to ICMP_TIMESTAMP, you would set
icmp_rejectcodemask = 8192.


Currently, the only way to change this variable (so far as I know) is via dbx;
instructions are at http://www.unix.digital.com/internet/tuning.htm#mod_atts

I was told by the kernel engineers that "we are adding this to the on-line
internet server tuning guide for the next revision. It keeps coming up lately."

-Jeff