From owner-freebsd-questions Sun Feb 13 12:42: 5 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by builder.freebsd.org (Postfix) with ESMTP id 266D94608 for ; Sun, 13 Feb 2000 12:41:56 -0800 (PST) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id PAA37645; Sun, 13 Feb 2000 15:46:42 -0500 (EST) (envelope-from cjc) Date: Sun, 13 Feb 2000 15:46:42 -0500 From: "Crist J. Clark" To: Giorgos Keramidas Cc: chip , questions@FreeBSD.ORG Subject: Re: rc.firewall problem - Take 4 Message-ID: <20000213154642.D31722@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000208040302.B10648@hades.hell.gr> <00020800084901.02763@firewall.homenet> <20000210162740.A13143@hades.hell.gr> <38A39BB1.17ED9740@wiegand.org> <20000211174455.B14230@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000211174455.B14230@hades.hell.gr>; from keramida@ceid.upatras.gr on Fri, Feb 11, 2000 at 05:44:55PM +0200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Feb 11, 2000 at 05:44:55PM +0200, Giorgos Keramidas wrote: > On Thu, Feb 10, 2000 at 09:18:41PM -0800, chip wrote: > > > > I hope these are readable. I thought it would be better to attach them > > than to copy the whole text into the message. Chip W > > I don't mind the way it's done. As long as the attachments are plain > text, there is no problem at all :) > > > chip# ipfw show > > 00100 0 0 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 192.168.0.0/24 to any in recv mx0 > > 00400 0 0 deny ip from 208.194.173.0/25 to any in recv pn0 > > 00500 30 7265 deny ip from 192.168.0.0/16 to any via mx0 > > 00600 0 0 deny ip from any to 192.168.0.0/16 via mx0 > > 00700 0 0 deny ip from 172.16.0.0/12 to any via mx0 > > 00800 0 0 deny ip from any to 172.16.0.0/12 via mx0 > > 00900 0 0 deny ip from 10.0.0.0/8 to any via mx0 > > 01000 0 0 deny ip from any to 10.0.0.0/8 via mx0 > > 01100 23 7274 allow tcp from any to any established > > 01200 0 0 allow tcp from any to 208.194.173.26 25 setup > > 01300 0 0 allow tcp from any to 208.194.173.26 53 setup > > 01400 0 0 allow tcp from any to 208.194.173.26 80 setup > > 01500 0 0 deny log logamount 100 tcp from any to any in recv mx0 setup > > 01600 8 384 allow tcp from any to any setup > > 01700 0 0 allow udp from any 53 to 208.194.173.26 > > 01800 0 0 allow udp from 208.194.173.26 to any 53 > > 01900 0 0 allow udp from any 123 to 208.194.173.26 > > 02000 0 0 allow udp from 208.194.173.26 to any 123 > > 65535 36 2634 deny ip from any to any > > Now, from the rules below I can see that you're just denying *all* icmp > packets, which match the rule at the bottom of the list. If you want to > be able to ping/traceroute, you will probably find it useful to add in > your rc.firewall a line that passes icmp packets through. > > Just add the following as the last rule of your rc.firewall. > > add allow icmp from any to any > > Some say that certain types of ICMP packets are evil, and on several > systems I've seen, the administrators have even restricted the > permissions of traceroute and ping, in order to stop the users from > using them. I just wanted to point out that even if you pass ICMP packets, that is not enough for traceroute(8) to work. traceroute(8) also uses UDP by default. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message