Date: Tue, 11 Dec 2001 07:27:06 -0800 (PST) From: krzysztof <cs052279@yahoo.com> To: freebsd-questions@freebsd.org Subject: Securing Network from ping Message-ID: <20011211152706.30717.qmail@web14806.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello,
I'm trying to secure my firewall and only pass in
icmp traffic to certain machines while being able to
utilize icmp from the inside. I am running an
IPFilter firewall. Here is how my configuration
looks:
Inside Interface:
I pass all icmp traffic in and out and keep state on
it.
Outside Interface:
Outgoing I pass all icmp traffic and keep state on it.
Incomming I pass icmp-type 0,8,11 and keep state
What I want to do is pass icmp-type 0,8,11 to only
certain machines and not the whole network. So when I
put in the following rule on the outside interface it
should only pass in icmp traffic to the specified box
and allow others to ping from the inside out.
pass in all on fxp1 head 100
pass in log quick proto icmp from any to
xxx.xxx.xxx.xxx keep state group 100
block in log quick all
However this only works half way. I can ping the
specified machine from the outside and nothing
else.... This is a good thing. However, I can't ping
anymachine on the outside from any machine on the
inside. I can ping from the firewall itself though.
It seems like my icmp packets are not keeping state.
Thank You for any advice in this matter.
-Chris
__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011211152706.30717.qmail>