From owner-freebsd-security  Tue Jun 27 10: 7:22 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id 040F637C158
	for <freebsd-security@FreeBSD.ORG>; Tue, 27 Jun 2000 10:07:12 -0700 (PDT)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.veriohosting.com; Tue, 27 Jun 2000 11:07:09 -0600 (MDT)
Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1)
	id xma009557; Tue, 27 Jun 00 11:07:05 -0600
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id LAA29572; Tue, 27 Jun 2000 11:07:01 -0600 (MDT)
Date: Tue, 27 Jun 2000 11:07:00 -0600 (MDT)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: Salvo Bartolotta <bartequi@inwind.it>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: icmp type 3 code 4: a couple of questions
In-Reply-To: <20000627.17395900@bartequi.ottodomain.org>
Message-ID: <Pine.BSF.4.21.0006271057330.29364-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 27 Jun 2000, Salvo Bartolotta wrote:

> Well, actually, my homebox will behave, as it were, like a Klingon
> spaceship: for example, it will normally deny **all** icmptypes except
> type 3 code 4 (DF). When I need to ping, traceroute, etc., I will
> *temporarily* remove some restrictions.

If you are using IP Filter, why not let it do the work for you?

It is very easy to set up a "cloaked" firewall machine like you describe
with IP Filter.  In this situation, you can easily block all incoming
ICMP/UDP/TCP packets as a general rule and rely entirely on IP Filter
setting state rules for connections, traceroutes, or pings that were
initiated from behind the firewall.  That will let traceroute and ping
automatically work from behind the firewall out to hosts outside the
firewall, but you are otherwise 100% invisible to any other host on the
Internet.

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message