From owner-freebsd-security  Sun Feb 24  7:43:53 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
	by hub.freebsd.org (Postfix) with ESMTP id DE52A37B402
	for <freebsd-security@FreeBSD.ORG>; Sun, 24 Feb 2002 07:43:49 -0800 (PST)
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
	by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g1OFhYD15182;
	Sun, 24 Feb 2002 10:43:34 -0500 (EST)
Date: Sun, 24 Feb 2002 10:43:34 -0500 (EST)
From: Ralph Huntington <rjh@mohawk.net>
To: Jeff Palmer <scorpio@drkshdw.org>
Cc: Dag-Erling Smorgrav <des@ofug.org>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: Couple of concerns with default rc.firewall
In-Reply-To: <001101c1bd48$2df35020$0286a8c0@home.lan>
Message-ID: <20020224104008.H14963-100000@mohegan.mohawk.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Maybe I'm missing the point, but doesn't "deny ip from any to any" (which
is the last rule in a block-all-by-default firewall) doesn't that mean to
block everything, meaning everything? Nothing would be allowed, not any
icmp of any type or anything else. In order to allow anything in
particular, that would have to be explicitly enabled in a prior (ipfw)
rule, is that not correct?


On Sun, 24 Feb 2002, Jeff Palmer wrote:

> DES,
>
> Maybe you fail to see my point.  I was wondering if there was a reason the
> FreeBSD team has decided not to allow certain ICMP's by default.
> I'm perfectly aware of how to change the rules to do what I want.  I was
> asking if there was a reason for this decision,  or if it was an oversight.
>
>
> ----- Original Message -----
> From: "Dag-Erling Smorgrav" <des@ofug.org>
> To: "Jeff Palmer" <scorpio@drkshdw.org>
> Cc: <freebsd-security@FreeBSD.ORG>
> Sent: Sunday, February 24, 2002 7:16 AM
> Subject: Re: Couple of concerns with default rc.firewall
>
>
> > "Jeff Palmer" <scorpio@drkshdw.org> writes:
> > > Is there any reason in particular, that ALL icmp traffic is denied
> > > by default, except for using the 'open' ruleset?
> >
> > The default rule #65535 is "deny ip from any to any".  Wouldn't you be
> > surprised if this *didn't* block all ICMP packets?
> >
> > Just add the following early on in your firewall ruleset:
> >
> >     allow icmp from any to any icmptype 0,3,8,11
> >
> > preferably *after* any anti-spoofing rules.
> >
> > DES
> > --
> > Dag-Erling Smorgrav - des@ofug.org
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message