Solaris Operating Environment by default is configured to both accept and send the ICMP Redirect messages. According to RFCs, only a router or a gateway device should send an ICMP Redirect message and any other hosts should only be able to receive the ICMP Redirects. If the Solaris server is not acting as a Router or a Gateway then sending ICMP Redirect message should be disabled. The same applies to accepting ICMP Redirect messages if the solaris server is not required to receive ICMP Redirect messages (say a single Router/Gateway network/subnets scenario) as a malicous hacker could send fake ICMP redirect messages to modify the routing table on the host and potentialy cause a Denial of Service attack.
Show and Disable ICMP Redirect message accept option
To see if accepting ICMP Redirects are enabled in Solaris,
In IPv4
root@solaris# ndd -get /dev/ip ip_ignore_redirect
0
In IPv6 then
root@solaris# ndd -get /dev/ip ip6_ignore_redirect
0
The “0” indicates that the host is configured to accept ICMP Redirect messages and “1” indicates it is being disabled
To disable the ICMP Redirect accept option,
In IPv4
root@solaris# ndd -set /dev/ip ip_ignore_redirect 1
In IPv6
root@solaris# ndd -set /dev/ip ip6_ignore_redirect 1
Show and Disable ICMP Redirect message send option
To see if sending ICMP Redirects are enabled in Solaris,
If you are using IPv4
root@solaris# ndd -get /dev/ip ip_send_redirects
1
If you are using IPv6 then
root@solaris# ndd -get /dev/ip ip6_send_redirects
1
The “1” indicates that the host is configured to send ICMP Redirect messages and “0” indicates it is being disabled
To disable the option,
In IPv4
root@solaris# ndd -set /dev/ip ip_send_redirects 0
In IPv6
root@solaris# ndd -set /dev/ip ip6_send_redirects 0
The above ndd -set commands dynamically update the ICMP Redirect send/receive options on the host. However, to ensure that the settings are applied at the boot time (say the next time when the server reboots) then edit the startup script /etc/rc2.d/S69inet and modify values accordingly.
Alternatively, you can download the nddconfig script and install on your server. This script can be used to adjust most of the ndd parameters for security purpose.
The script can be downloaded here (need an Sunsolve account)
http://www.sun.com/blueprints/tools/
To install the nddconfig script
Untar the downloaded nddconfig.tar file
root@solaris# tar -xvf nddconfig.tar
Copy the nddconfig file to /etc/init.d/ directory
root@solaris# cp nddconfig /etc/init.d/nddconfig
Change the file permissions to 744
root@solaris# chmod 744 /etc/init.d/nddconfig
Change the file ownership to root(user) and sys (grooup)
root@solaris# chown root:sys /etc/init.d/nddconfig
Create a hard link as follows:
root@solaris# ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
This should help.