<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font size="-1"><font face="Arial">Absolutely,<br>
<br>
This script resides in my /root/bin.<br>
<br>
I call it disable_send_accept_redirects<br>
------<br>
#!/bin/bash<br>
<br>
# Disable send redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects<br>
<br>
# Disable accept redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects<br>
echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects<br>
<br>
-----<br>
<br>
I have also added the following line to my /etc/rc.local startup scipt:<br>
/root/bin/disable_send_accept_redirects<br>
<br>
So that it is called on startup. I am using FC7 - on your system the
startup script location may be different. <br>
<br>
As you can see I disable both types of redirects for ALL interface - I
am not sure if that is correct or wise but it seems to work for me ; )<br>
<br>
I'm new to linux too, welcome to the club.<br>
</font></font>
<pre class="moz-signature" cols="72">Regards,
Arjun Datta
</pre>
<br>
<br>
Chris Thomas wrote:
<blockquote
cite="mid:764729EEDBCB9F4B964900E10E4D309303794DCD@exch2k3.harkinsbuilders.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">OK,
should I worry about setting
the “accept_redirects” in just my interfaces or do I need to set it
in “all”, “default” and “lo” as well?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Care to
share you script? </span><span
style="font-family: Wingdings; color: rgb(31, 73, 125);">J</span><span
style="color: rgb(31, 73, 125);">
I would be most grateful. I’m still fumbling my way through Linux,
so I’m not sure how to write it myself.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Thanks
for the help!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">-Chris<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";"> Arjun
Datta
[<a class="moz-txt-link-freetext" href="mailto:arjun@greatgulfhomes.com">mailto:arjun@greatgulfhomes.com</a>] <br>
<b>Sent:</b> Wednesday, March 12, 2008 1:28 PM<br>
<b>To:</b> Chris Thomas; <a class="moz-txt-link-abbreviated" href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Subject:</b> RE: [Openswan Users] Installing OpenSwan for the
first time<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">Hi
Chris,</span><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">I
had a similar problem and I resolved it as follows:</span><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">Those
files are in the proc filesystem and contain a 0 or a 1 for
disabled/enabled.</span><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">Simply disable
the redirects by changing the 0 to a 1 in all
of those files. I used a script that I keep handy because sometimes
after reboot or restarting the network, those files go back to defaults
and the
redirects are enabled.</span><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">After
doing that you can check your work by running ipsec verify
again.</span><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">I
am not sure if this is the correct way of doing this but I did
the above and my VPN connection seems to work so far.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Regards,</span><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif"; color: blue;">Arjun
Datta</span><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"> <o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom: 12pt;"><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif";">-----Original
Message-----<br>
<b>From:</b> <a class="moz-txt-link-abbreviated" href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</a>
[<a class="moz-txt-link-freetext" href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</a>]<b>On
Behalf Of </b>Chris Thomas<br>
<b>Sent:</b> Wednesday, March 12, 2008 1:07 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Subject:</b> [Openswan Users] Installing OpenSwan for the first
time</span><span
style="font-size: 12pt; font-family: "Times New Roman","serif";"><o:p></o:p></span></p>
<p class="MsoNormal">I am attempting to install OpenSwan on a Ubuntu
7.10
server. I ran <b>apt-get install openswan</b> and received the
following
after running <b>ipsec verify</b>:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">root@gatekeeper:/home/administrator#
ipsec verify<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Checking
your system to see if IPsec got installed and started correctly:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Version
check and ipsec
on-path
[OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Linux
Openswan U2.4.6/K2.6.22-14-server (netkey)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Checking
for IPsec support in
kernel
[OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">NETKEY
detected, testing for disabled ICMP
send_redirects [FAILED]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">
Please disable /proc/sys/net/ipv4/conf/*/send_redirects<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">
or NETKEY will cause the sending of bogus ICMP redirects!<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">NETKEY
detected, testing for disabled ICMP accept_redirects
[FAILED]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">
or NETKEY will accept bogus ICMP redirects!<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Checking
for RSA private key (/etc/ipsec.secrets)
[DISABLED]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">
ipsec showhostkey: no default key in "/etc/ipsec.secrets"<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Checking
that pluto is
running
[OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Two
or more interfaces found, checking IP
forwarding
[FAILED]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Checking
for 'ip'
command
[OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Checking
for 'iptables'
command
[OK]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Opportunistic
Encryption
Support
[DISABLED]<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">root@gatekeeper:/home/administrator#
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">I’m
not exactly sure how to disable
“/proc/sys/net/ipv4/conf/*/send_redirects” and I’m not sure
if everything else there is OK or not. It does not match watch the
wiki
tells me I should have, so I want to address this before I proceed.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">Thanks
in advance,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size: 10pt; font-family: "Arial","sans-serif";">-Chris</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
</body>
</html>