From owner-freebsd-questions@FreeBSD.ORG  Fri Dec  2 02:50:26 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E5918106566B
	for <freebsd-questions@freebsd.org>;
	Fri,  2 Dec 2011 02:50:26 +0000 (UTC)
	(envelope-from kudzu@tenebras.com)
Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com
	[209.85.210.182])
	by mx1.freebsd.org (Postfix) with ESMTP id BAE338FC0C
	for <freebsd-questions@freebsd.org>;
	Fri,  2 Dec 2011 02:50:26 +0000 (UTC)
Received: by iakl21 with SMTP id l21so5318121iak.13
	for <freebsd-questions@freebsd.org>;
	Thu, 01 Dec 2011 18:50:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.50.196.137 with SMTP id im9mr11599714igc.32.1322794226028;
	Thu, 01 Dec 2011 18:50:26 -0800 (PST)
Received: by 10.50.135.106 with HTTP; Thu, 1 Dec 2011 18:50:26 -0800 (PST)
In-Reply-To: <4ED80CD0.8070709@tundraware.com>
References: <4ED80CD0.8070709@tundraware.com>
Date: Thu, 1 Dec 2011 18:50:26 -0800
Message-ID: <CAHu1Y70aRWv+wJcwHhj3Ynyarksk110E2BCHNkcusJRFBOLHbg@mail.gmail.com>
From: Michael Sierchio <kudzu@tenebras.com>
To: Tim Daneliuk <tundra@tundraware.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject: Re: ipfw And ping
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2011 02:50:27 -0000

You can rate-limit pings and other icmp with sysctl nodes (sysctl
net.inet.icmp )

You can make the rule a little more restrictive:

add allow icmp from any to any icmptypes 0,3,8,11

if you want to disallow echo requests, omit 8 - the others are
essential for most things to work properly or to diagnose problems.

On Thu, Dec 1, 2011 at 3:25 PM, Tim Daneliuk <tundra@tundraware.com> wrote:
> I have a fairly restrictive ipfw setup on =A0a FBSD 8.2-STABLE machine.
> Pings were not getting through so I added this near the top
> of the rule set:
>
> =A0#####
> =A0# Allow icmp
> =A0#####
>
> =A0${FWCMD} add allow icmp from any to any
>
>
> It does work but, two questions:
>
> 1) Is there a better way?
> 2) Will this cause harm or otherwise expose the server to some
> vulnerability?
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"