cancel
Showing results for 
Search instead for 
Did you mean: 

ndd questions

 
SOLVED
Go to solution
Adam W.
Valued Contributor

ndd questions

Guru's,
I have 2 setrting that our IA group is freaking out about. They are:
ndd /dev/ip ip_forward_src_routed
1
and
# ndd /dev/ip ip_respond_to_echo_broadcast
1


First, can I set these to 0? and secondly if I do, will this have any adverse effects?
There are two types of people in the world, Marines and those who wish they were.
4 REPLIES
Avinash20
Honored Contributor
Solution

Re: ndd questions

http://docs.hp.com/en/B9901-90044/ch10s02.html#echo_broadcast

ICMP Echo Request Broadcasts (ip_respond_to_echo_broadcast)

A ping message (ICMP echo request) to a broadcast address solicits responses from multiple systems and can generate a lot of network traffic. In security-conscious environments, HP recommends that you disable responses to broadcast echo requests.
0 (disable)
1 (enable)
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Avinash20
Honored Contributor

Re: ndd questions

http://www.cymru.com/Documents/ip-stack-tuning.html

With source routing, an attacker can attempt to reach internal IP addresses - including RFC1918 addresses. It is important to disable the acceptance of source routed packets to prevent subtle probes of your internal networks.

HP-UX
ndd -set /dev/ip ip_forward_src_routed 0
Disable this feature to prevent the host from forwarding source routed packets.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Adam W.
Valued Contributor

Re: ndd questions

Thank you much!
There are two types of people in the world, Marines and those who wish they were.
rick jones
Honored Contributor

Re: ndd questions

Disabling ip_respond_to_echo_broadcast only means it won't respond to broadcast pings. While some might think that makes a system more "secure," if it is talking on the net at all, it really doesn't make much of a difference.

I always thought that ip_forward_src_routed was only important if ip_forwarding was enabled, but I cannot confirm that simply with ndd -h output on 11.11 :( Still, if it makes your IA folks happy, it shouldn't really hurt anything.
there is no rest for the wicked yet the virtuous have no pillows