Date: Sat, 31 Mar 2001 11:58:09 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: dbsypher@uchicago.edu (David Syphers) Cc: ml@db.nexgen.com (alexus), freebsd-ipfw@FreeBSD.ORG Subject: Re: disable ping to box using ipfw Message-ID: <200103311958.LAA06382@gndrsh.dnsmgr.net> In-Reply-To: <4.3.2.7.2.20010330213837.00c173a0@nsit-popmail.uchicago.edu> from David Syphers at "Mar 30, 2001 09:43:39 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> At 09:17 PM 3/30/01 -0500, alexus wrote: > >does anyone know how i can disable ping to my box using ipfw? > > ${fwcmd} add deny icmp from any to ${ip} Please don't drop all icmp, he said ``disable ping to'' so lets disable ping: ipfw add deny icmp from any to ${ip} icmptype 8 or ipfw add deny icmp from any to any icmptype 8 in via ${oif} But, to protect yourself from the bad stuff, yet allow the icmp stuff that is needed for a properly functioning RFC compliant host you should probably add this after the above (you can drop the 8 from the list, I just cut-n-pasted this out of a ruleset): ipfw add allow icmp from any to any icmptype 0,3,4,8,11 ipfw add deny log from any to any > building on the 'client' prototype (change reference to the ip for 'simple' > prototype). However, ping is not allowed by default, and so if your system > is set to default deny, nobody can ping the machine if you're using even an > unmodified client (or simple) prototype. root {43}# grep icmp /etc/rc.firewall root {44}# grep FreeBSD !$ grep FreeBSD /etc/rc.firewall # $FreeBSD: src/etc/rc.firewall,v 1.30.2.12 2001/03/06 01:58:02 obrien Exp $ BAD BAD BAD!!! (FreeBSD 4.3-RC1 :-() Doesn't even deal with icmp :-( -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103311958.LAA06382>