Matthias Scheler wries:

>        Manuel Bouyer <bouyer@antioche.lip6.fr> writes:
>> A sysctl net.inet.ip.acceptredirects would be nice.

>Yes, indeed. IPF works fine - thanks for the filter rule Darren - but
>is an overkill just to ignore ICMP redirects.


The Freebsd 4.0 snapshot release notes say:


FB40> Support has been added for blocking incoming ICMP redirects, outgoing RST
FB40> frames and incoming SYN|FIN frames in order to lessen or nullify the
FB40> impact of certain kinds of DoS attacks. [MERGED]
FB40> 
FB40> Support has been added for forwarding IP datagrams without inspecting or
FB40> decreasing the TTL in order to make gateways and firewalls less visible

Any chance we could use the same sysctl name(s)?  I cant tell if this
means blocking redirects for hosts that aren't routers. If so,
that sounds like a separate function.


The RST frame blocking and SYN!FIN blocking sound interesting too.