From owner-freebsd-ipfw Sat Mar 31 11:58:33 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id C123E37B719 for ; Sat, 31 Mar 2001 11:58:29 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA06382; Sat, 31 Mar 2001 11:58:10 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200103311958.LAA06382@gndrsh.dnsmgr.net> Subject: Re: disable ping to box using ipfw In-Reply-To: <4.3.2.7.2.20010330213837.00c173a0@nsit-popmail.uchicago.edu> from David Syphers at "Mar 30, 2001 09:43:39 pm" To: dbsypher@uchicago.edu (David Syphers) Date: Sat, 31 Mar 2001 11:58:09 -0800 (PST) Cc: ml@db.nexgen.com (alexus), freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > At 09:17 PM 3/30/01 -0500, alexus wrote: > >does anyone know how i can disable ping to my box using ipfw? > > ${fwcmd} add deny icmp from any to ${ip} Please don't drop all icmp, he said ``disable ping to'' so lets disable ping: ipfw add deny icmp from any to ${ip} icmptype 8 or ipfw add deny icmp from any to any icmptype 8 in via ${oif} But, to protect yourself from the bad stuff, yet allow the icmp stuff that is needed for a properly functioning RFC compliant host you should probably add this after the above (you can drop the 8 from the list, I just cut-n-pasted this out of a ruleset): ipfw add allow icmp from any to any icmptype 0,3,4,8,11 ipfw add deny log from any to any > building on the 'client' prototype (change reference to the ip for 'simple' > prototype). However, ping is not allowed by default, and so if your system > is set to default deny, nobody can ping the machine if you're using even an > unmodified client (or simple) prototype. root {43}# grep icmp /etc/rc.firewall root {44}# grep FreeBSD !$ grep FreeBSD /etc/rc.firewall # $FreeBSD: src/etc/rc.firewall,v 1.30.2.12 2001/03/06 01:58:02 obrien Exp $ BAD BAD BAD!!! (FreeBSD 4.3-RC1 :-() Doesn't even deal with icmp :-( -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message