topic ndd questions in Operating System - HP-UX

ndd questions

Adam W. — Mon, 23 Feb 2009 19:26:01 GMT

Guru's,
I have 2 setrting that our IA group is freaking out about. They are:
ndd /dev/ip ip_forward_src_routed
1
and
# ndd /dev/ip ip_respond_to_echo_broadcast
1

First, can I set these to 0? and secondly if I do, will this have any adverse effects?

Re: ndd questions

Avinash20 — Mon, 23 Feb 2009 19:41:28 GMT

http://docs.hp.com/en/B9901-90044/ch10s02.html#echo_broadcast

ICMP Echo Request Broadcasts (ip_respond_to_echo_broadcast)

A ping message (ICMP echo request) to a broadcast address solicits responses from multiple systems and can generate a lot of network traffic. In security-conscious environments, HP recommends that you disable responses to broadcast echo requests.
0 (disable)
1 (enable)

Re: ndd questions

Avinash20 — Mon, 23 Feb 2009 19:43:53 GMT

http://www.cymru.com/Documents/ip-stack-tuning.html

With source routing, an attacker can attempt to reach internal IP addresses - including RFC1918 addresses. It is important to disable the acceptance of source routed packets to prevent subtle probes of your internal networks.

HP-UX
ndd -set /dev/ip ip_forward_src_routed 0
Disable this feature to prevent the host from forwarding source routed packets.

Re: ndd questions

Adam W. — Mon, 23 Feb 2009 19:47:41 GMT

Thank you much!

Re: ndd questions

rick jones — Tue, 24 Feb 2009 01:35:34 GMT

Disabling ip_respond_to_echo_broadcast only means it won't respond to broadcast pings. While some might think that makes a system more "secure," if it is talking on the net at all, it really doesn't make much of a difference.

I always thought that ip_forward_src_routed was only important if ip_forwarding was enabled, but I cannot confirm that simply with ndd -h output on 11.11 :( Still, if it makes your IA folks happy, it shouldn't really hurt anything.