PDA

View Full Version : SLES 11 SP3 ICMP Redirect Disabling



acastaneda32
18-Oct-2015, 19:54
I am trying to set the following to 0 and running SLES 11 SP3

- net.ipv4.conf.all.secure_redirects
- net.ipv4.conf.default.secure_redirects

I've added the following to /etc/sysctl.conf and have rebooted the system:

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable route verification on all interfaces
net.ipv4.conf.all.rp_filter = 1
# enable ipV6 forwarding
#net.ipv6.conf.all.forwarding = 1
# increase the number of possible inotify(7) watches
fs.inotify.max_user_watches = 65536
# avoid deleting secondary IPs on deleting the primary IP
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
# disable ICMP redirects
net.ipv4.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_timestamps = 0

But when I run /sbin/sysctl -a, I still see the following:

net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.all.secure_redirects = 1

I then run /sbin/sysctl -p, and get the following output:

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
fs.inotify.max_user_watches = 65536
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
/proc/sys/net/ipv4/send_redirects: No such file or directory
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_timestamps = 0

I then run /sbin/sysctl -a and see the following:

net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0

However, after I reboot and run /sbin/sysctl -a, I still see the following:

net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.all.secure_redirects = 1

How can I get those two attributes to permanently be set to 0?

smflood
18-Oct-2015, 20:19
acastaneda32 Wrote in message:

> I am trying to set the following to 0 and running SLES 11 SP3
>
> - net.ipv4.conf.all.secure_redirects
> - net.ipv4.conf.default.secure_redirects
>
> I've added the following to /etc/sysctl.conf and have rebooted the
> system:
>
> # Disable response to broadcasts.
> # You don't want yourself becoming a Smurf amplifier.
> net.ipv4.icmp_echo_ignore_broadcasts = 1
> # enable route verification on all interfaces
> net.ipv4.conf.all.rp_filter = 1
> # enable ipV6 forwarding
> #net.ipv6.conf.all.forwarding = 1
> # increase the number of possible inotify(7) watches
> fs.inotify.max_user_watches = 65536
> # avoid deleting secondary IPs on deleting the primary IP
> net.ipv4.conf.default.promote_secondaries = 1
> net.ipv4.conf.all.promote_secondaries = 1
> # disable ICMP redirects
> net.ipv4.send_redirects = 0
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.all.secure_redirects = 0
> net.ipv4.conf.default.secure_redirects = 0
> net.ipv4.tcp_timestamps = 0
>
> But when I run /sbin/sysctl -a, I still see the following:
>
> net.ipv4.conf.default.secure_redirects = 1
> net.ipv4.conf.all.secure_redirects = 1
>
> I then run /sbin/sysctl -p, and get the following output:
>
> net.ipv4.icmp_echo_ignore_broadcasts = 1
> net.ipv4.conf.all.rp_filter = 1
> fs.inotify.max_user_watches = 65536
> net.ipv4.conf.default.promote_secondaries = 1
> net.ipv4.conf.all.promote_secondaries = 1
> /proc/sys/net/ipv4/send_redirects: No such file or directory
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.all.secure_redirects = 0
> net.ipv4.conf.default.secure_redirects = 0
> net.ipv4.tcp_timestamps = 0
>
> I then run /sbin/sysctl -a and see the following:
>
> net.ipv4.conf.default.secure_redirects = 0
> net.ipv4.conf.all.secure_redirects = 0
>
> However, after I reboot and run /sbin/sysctl -a, I still see the
> following:
>
> net.ipv4.conf.default.secure_redirects = 1
> net.ipv4.conf.all.secure_redirects = 1
>
> How can I get those two attributes to permanently be set to 0?

I suspect your two settings are being reset by a module loading
after the sysctl stuff is initially processed. Your best bet is
probably to put the appropriate two sysctl commands in
/etc/init.d/after.local file so they're processed at the end of
the system startup.

HTH.
--
Simon Flood
SUSE Knowledge Partner


----Android NewsGroup Reader----
http://usenet.sinaapp.com/

acastaneda32
18-Oct-2015, 21:04
I don't see an after.local file there. Is that something I'd need to create? If so, how should I create the file? Thanks for the help.


/etc/init.d> ls -a
. boot.apparmor boot.dmraid boot.lvm boot.udev_retry haldaemon kexec ntp raw reboot slpd xdm
.. boot.cgroup boot.efivars boot.lvm_monitor cron halt lvm_wait_merge_snapshot openct rc rpasswdd smartd xfs
aaeventd boot.cleanup boot.fuse boot.md cups halt.local mcelog openwsmand rc0.d rpcbind smb xinetd
acpid boot.clock boot.ipconfig boot.multipath dbus haveged mdadmd pcscd rc1.d rpmconfigcheck smbfs ypbind
alsasound boot.compliance boot.kdump boot.proc .depend.boot inputattach microcode.ctl pm-profiler rc2.d rsyncd splash
arpd boot.crypto boot.klog boot.quota .depend.halt ipmi multipathd postfix rc3.d saslauthd splash_early
atd boot.crypto-early boot.ldconfig boot.rootfsck .depend.start ipmievd network powerd rc4.d setserial sshd
auditd boot.cycle boot.loadmodules boot.scpm .depend.stop irq_balancer network-remotefs powerfail rc5.d sfcb SuSEfirewall2_init
autofs boot.d boot.local boot.swap earlysyslog ivman nfs puppet rc6.d single SuSEfirewall2_setup
autoyast boot.debugfs boot.localfs boot.sysctl fbset joystick nmb purge-kernels rcS.d skeleton syslog
boot boot.device-mapper boot.localnet boot.udev gpm kbd nscd random README skeleton.compat uuidd

ab
19-Oct-2015, 02:45
Duplicating my response from the openSUSE version of your thread
http://forums.opensuse.org/showthread.php?t=510303:

Every time I've fought with sysctl stuff in this way the problem has been
caused by either changing networks or doing something else that refreshes
the firewall. The SuSEfirewall2 service appears to do some sysctl hacking
automatically and I've never figured out how to trump it other than by
adding a custom firewall script to the end of the SuSEfirewall2 version
which runs the sysctl commands manually after any firewall change. This
is not pretty, but it works reliably,at least on SUSE Linux Enterprise
Server (SLES) 11.

Look at the /etc/sysconfig/SuSEfirewall2 file, for the name of the custom
script (/etc/sysconfig/scripts/SuSEfirewall2-custom); uncomment the line,
and then modify that file (it should already exist waiting for input)
adding your sysctl command to the correct section. The correct section
could probably be 'fw_custom_after_finished' if nothing else works.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

smflood
19-Oct-2015, 10:40
On 18/10/2015 21:14, acastaneda32 wrote:

> I don't see an after.local file there. Is that something I'd need to
> create? If so, how should I create the file? Thanks for the help.

No the /etc/init.d/after.local doesn't exist by default on SLES so
you'll need to create and edit it using your favourite editor. It's just
a simple shell script.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

acastaneda32
19-Oct-2015, 17:25
Thanks smflood! I ended up creating the after.local file and adding the following:

sudo /sbin/sysctl -p

I rebooted the system and both the following are set to 0.

net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0

In the future, I'll just need to modify the sysctl.conf file for any additional changes.

acastaneda32
19-Oct-2015, 17:28
Thanks. I'm going to try this in test environment, but successfully using the after.local file currently.