low-power / Blog: Disable ICMP redirect messages

Disable ICMP redirect messages

The ICMP redirect messages modify the kernel routing table in an undesirable way; it should be disabled from both manageability and security considerations.

The followings show some configuration command examples for different OS kernels.

Ignore incoming ICMP redirect

kFreeBSD or XNU

sysctl net.inet.icmp.drop_redirect=1

Linux

sysctl net.ipv4.conf.all.accept_redirects=0
sysctl net.ipv6.conf.all.accept_redirects=0

Solaris kernel

ipadm set-prop -p _ignore_redirect=1 ipv4
ipadm set-prop -p _ignore_redirect=1 ipv6

4.3 BSD kernel for VAX

echo "_rtredirect/W 01040000" | adb -k -w /vmunix /dev/mem

Disable sending ICMP redirect

Modern BSD kernel with sysctl support

sysctl net.inet.ip.redirect=0
sysctl net.inet6.ip6.redirect=0

Linux

sysctl net.ipv4.conf.all.send_redirects=0

Solaris kernel (before Oracle Solaris 11.2)

ipadm set-prop -p _send_redirects=0 ipv4
ipadm set-prop -p _send_redirects=0 ipv6

Posted by 2024-08-04 Labels: icmp-redirect

WHR Blog

Disable ICMP redirect messages

Ignore incoming ICMP redirect

kFreeBSD or XNU

Linux

Solaris kernel

4.3 BSD kernel for VAX

Disable sending ICMP redirect

Modern BSD kernel with sysctl support

Linux

Solaris kernel (before Oracle Solaris 11.2)