[c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)
Leonardo Gama Souza
leonardo.souza at nec.com.br
Mon Mar 24 09:01:30 EDT 2008
as for the interface stuff...
>
> Per Interface Config
>
> no ip redirects
> no ip unreachables
personally, I don't like those two. what's wrong about a router
_sending_ icmp redirects or (even more important/useful) icmp
unreachables?
keep in mind those commands are not about accepting those (but, as said:
sending them).
[Leonardo Gama Souza] >
Personally I think it's much better rate-limit 'ip unreachables' than
block them.
Probably Cisco doesn't change these silly defaults because they won't
have selling points for tools such as SDM. :)
More information about the cisco-nsp
mailing list