Date: Sat, 31 Mar 2001 11:58:09 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: dbsypher@uchicago.edu (David Syphers) Cc: ml@db.nexgen.com (alexus), freebsd-ipfw@FreeBSD.ORG Subject: Re: disable ping to box using ipfw Message-ID: <200103311958.LAA06382@gndrsh.dnsmgr.net> In-Reply-To: <4.3.2.7.2.20010330213837.00c173a0@nsit-popmail.uchicago.edu> from David Syphers at "Mar 30, 2001 09:43:39 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> At 09:17 PM 3/30/01 -0500, alexus wrote:
> >does anyone know how i can disable ping to my box using ipfw?
>
> ${fwcmd} add deny icmp from any to ${ip}
Please don't drop all icmp, he said ``disable ping to'' so lets disable ping:
ipfw add deny icmp from any to ${ip} icmptype 8
or
ipfw add deny icmp from any to any icmptype 8 in via ${oif}
But, to protect yourself from the bad stuff, yet allow the icmp stuff
that is needed for a properly functioning RFC compliant host you should
probably add this after the above (you can drop the 8 from the list,
I just cut-n-pasted this out of a ruleset):
ipfw add allow icmp from any to any icmptype 0,3,4,8,11
ipfw add deny log from any to any
> building on the 'client' prototype (change reference to the ip for 'simple'
> prototype). However, ping is not allowed by default, and so if your system
> is set to default deny, nobody can ping the machine if you're using even an
> unmodified client (or simple) prototype.
root {43}# grep icmp /etc/rc.firewall
root {44}# grep FreeBSD !$
grep FreeBSD /etc/rc.firewall
# $FreeBSD: src/etc/rc.firewall,v 1.30.2.12 2001/03/06 01:58:02 obrien Exp $
BAD BAD BAD!!! (FreeBSD 4.3-RC1 :-() Doesn't even deal with icmp :-(
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103311958.LAA06382>