this one is really simple. the default value of the kernel variable to inore ICMP echo broadcasts is set to , meaning it will respond to ICMP_ECHO_REQUEST broadcasts. this means that a default RH6.2 installation can be used as smurf attack amplifier. this is not good. a descriptin of the smurf attack is really quite simple: forge an ICMP_ECHO_REQUEST from a host and send it to a broadcast address, and the responses will overwhelm it, pushing it off the network. this is described in a CERT note: http://www.cert.org/advisories/CA-98.01.smurf.html . bad. sysctl this variable by defualt to 1 to ignore the broadcasts. (yes, other kernel stuff like this is coming soon).
whoops, some typos: the default value of the kernel variable to ignore ICMP echo broadcasts is set to 0, meaning it will respond to ICMP_ECHO_REQUEST broadcasts. this value is stored in: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Having the kernel respond to broadcast pings can be useful in debugging, among other things. Broadcast pings should be filtered out in routers/firewalls.
Agreed, this is not a bug, this is a characteristic of TCP/IP that should be dealt with when designing your firewall.