From owner-freebsd-security Tue Jun 27 9:38: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay2.inwind.it (relay2.inwind.it [212.141.53.73]) by hub.freebsd.org (Postfix) with ESMTP id 2DE1437C100 for ; Tue, 27 Jun 2000 09:37:58 -0700 (PDT) (envelope-from bartequi@inwind.it) Received: from bartequi.ottodomain.org (212.141.78.68) by relay2.inwind.it; 27 Jun 2000 18:37:56 +0200 From: Salvo Bartolotta Date: Tue, 27 Jun 2000 17:39:59 GMT Message-ID: <20000627.17395900@bartequi.ottodomain.org> Subject: Re: icmp type 3 code 4: a couple of questions To: Richard Martin Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3958E1C5.18593553@origen.com> References: <20000627.14530500@bartequi.ottodomain.org> <3958E1C5.18593553@origen.com> X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Richard Martin, thanks again for replying. Well, actually, my homebox will behave, as it were, like a Klingon=20 spaceship: for example, it will normally deny **all** icmptypes except=20 type 3 code 4 (DF). When I need to ping, traceroute, etc., I will=20 *temporarily* remove some restrictions. At least, this is the idea.=20 I have achieved "invisibility" as well as the desired incoming icmp=20 packets 3.4 by simply allowing all icmptypes 3, and dropping all=20 outward bound icmp packets. If I fully understand the matter, this=20 method should work without (?) side effects. If this is the case, I=20 thus obtain the same result -- just as if I were allowing icmp 3.4=20 packets and rejecting all other icmptypes. =20 Needless to say, I have CONSTANTLY been portscanned (nice packets=20 having been sent to a bunch of ports such as tcp 23) in the last few=20 weeks; which is the reason for such drastic decisions.=20 Since utilities such as Firewalk (traceroute-like program) make use of=20 ICMP, I wish to prevent this kind of scans. Back to my question: AFAICS, ipfilter can allow icmp 3.4 (blocking all=20 other icmptypes) whereas ipfw apparently cannot **exactly** do that.=20 However, if my understanding of the whole affair is correct (see=20 above), the issue is purely academic. Best regards, Salvo =20 >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 6/27/00, 6:17:57 PM, Richard Martin wrote=20 regarding Re: icmp type 3 code 4: a couple of questions: > Add: > /sbin/ipfw add pass icmp from ${oip} to any icmptypes ${icmpallow}= > /sbin/ipfw add pass icmp from any to ${oip} icmptypes ${icmpallow}= > /sbin/ipfw add deny log icmp from any to any > this lets the firewall machine ping in and out (used by Big Brother), = but > stops those not very useful, and blocks all ICMP to other machines=20 past > the firewall > Substitute in the ICMP types you want to allow each way, you can=20 specify > different ones both in and out. > We use > icmpallow=3D"0,3,4,5,8,11,12,14,16,18" > I wonder if anyone has any comments on the appropriateness of these > -- > Richard Martin dmartin@origenbio.com > Salvo Bartolotta wrote: > > Dear FreeBSD'ers, > > > > I am running a paranoidly closed firewall (homebox). > > > > Just out of curiosity, is there an *ipfw* way to allow ONLY icmp typ= e > > 3 code 4 packets (DF), dropping all other icmp packets onto the floo= r > > ? > > > > The question may be academic, though; I seem to understand that > > letting icmptypes 3 in (while letting NO icmp packets out) should > > achieve the same (paranoid) goal. Am I missing anything ? > > > > Thanks in advance, > > Salvo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message