Date: Tue, 27 Jun 2000 17:39:59 GMT From: Salvo Bartolotta <bartequi@inwind.it> To: Richard Martin <dmartin@origen.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <20000627.17395900@bartequi.ottodomain.org> In-Reply-To: <3958E1C5.18593553@origen.com> References: <20000627.14530500@bartequi.ottodomain.org> <3958E1C5.18593553@origen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear Richard Martin,
thanks again for replying.
Well, actually, my homebox will behave, as it were, like a Klingon=20
spaceship: for example, it will normally deny **all** icmptypes except=20
type 3 code 4 (DF). When I need to ping, traceroute, etc., I will=20
*temporarily* remove some restrictions. At least, this is the idea.=20
I have achieved "invisibility" as well as the desired incoming icmp=20
packets 3.4 by simply allowing all icmptypes 3, and dropping all=20
outward bound icmp packets. If I fully understand the matter, this=20
method should work without (?) side effects. If this is the case, I=20
thus obtain the same result -- just as if I were allowing icmp 3.4=20
packets and rejecting all other icmptypes. =20
Needless to say, I have CONSTANTLY been portscanned (nice packets=20
having been sent to a bunch of ports such as tcp 23) in the last few=20
weeks; which is the reason for such drastic decisions.=20
Since utilities such as Firewalk (traceroute-like program) make use of=20
ICMP, I wish to prevent this kind of scans.
Back to my question: AFAICS, ipfilter can allow icmp 3.4 (blocking all=20
other icmptypes) whereas ipfw apparently cannot **exactly** do that.=20
However, if my understanding of the whole affair is correct (see=20
above), the issue is purely academic.
Best regards,
Salvo
=20
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 6/27/00, 6:17:57 PM, Richard Martin <dmartin@origen.com> wrote=20
regarding Re: icmp type 3 code 4: a couple of questions:
> Add:
> /sbin/ipfw add pass icmp from ${oip} to any icmptypes ${icmpallow}=
> /sbin/ipfw add pass icmp from any to ${oip} icmptypes ${icmpallow}=
> /sbin/ipfw add deny log icmp from any to any
> this lets the firewall machine ping in and out (used by Big Brother), =
but
> stops those not very useful, and blocks all ICMP to other machines=20
past
> the firewall
> Substitute in the ICMP types you want to allow each way, you can=20
specify
> different ones both in and out.
> We use
> icmpallow=3D"0,3,4,5,8,11,12,14,16,18"
> I wonder if anyone has any comments on the appropriateness of these
> --
> Richard Martin dmartin@origenbio.com
> Salvo Bartolotta wrote:
> > Dear FreeBSD'ers,
> >
> > I am running a paranoidly closed firewall (homebox).
> >
> > Just out of curiosity, is there an *ipfw* way to allow ONLY icmp typ=
e
> > 3 code 4 packets (DF), dropping all other icmp packets onto the floo=
r
> > ?
> >
> > The question may be academic, though; I seem to understand that
> > letting icmptypes 3 in (while letting NO icmp packets out) should
> > achieve the same (paranoid) goal. Am I missing anything ?
> >
> > Thanks in advance,
> > Salvo
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000627.17395900>