Subject: misc/3212: Source routing configuration problem
To: None <gnats-bugs@gnats.netbsd.org>
From: None <david@mono.org>
List: netbsd-bugs
Date: 02/11/1997 17:10:29
>Number: 3212
>Category: misc
>Synopsis: Source routing configuration problem
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: misc-bug-people (Misc Bug People)
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Tue Feb 11 09:20:01 1997
>Last-Modified:
>Originator: David Brownlee
>Organization:
Monochrome (<a href="http://www.mono.org/">Monochrome</a>)
>Release: 1.2_BETA
>Environment:
NetBSD/sparc, IPX
System: NetBSD orwell.southern.net 1.2_BETA NetBSD 1.2_BETA (_SUN4C+FB_) #0: Fri Aug 16 10:40:16 BST 1996 david@electron.mono.org:/usr/src/sys/arch/sparc/compile/_SUN4C+FB_ sparc
>Description:
(Should actually be category 'security')
NetBSD ships with 'net.inet.ip.forwsrcrt = 1'. This means it will
forward source routed packets.
BSDI (from whom the sysctl name was taken) have changed to shipping
with net.inet.ip.forwsrcrt defaulted to 0. This is a 'Good Thing' :)
There is an additional option of adding a sysctl variable to
diable the _accepting_ of source routed packets as well,
however that involves some work :) (tcp wrappers are not enough
as UDP packets can be source routed as well)
>How-To-Repeat:
Use NetBSD as a router and watch those nasty source routed packets
getting through.
>Fix:
Default net.inet.ip.forwsrcrt to 0.
For the second part, add code to drop source routed packets :)
>Audit-Trail:
>Unformatted: