From owner-freebsd-security Wed Aug 11 23:16:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id F083314E83 for ; Wed, 11 Aug 1999 23:16:24 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id AAA80642; Thu, 12 Aug 1999 00:16:07 -0600 (MDT) Date: Thu, 12 Aug 1999 00:16:07 -0600 (MDT) From: Nick Rogness To: Jason Schwab Cc: freebsd-security@freebsd.org Subject: Re: ipfw In-Reply-To: <37b234fe.c8.0@telebot.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 11 Aug 1999, Jason Schwab wrote: > what rules should I add to my ipfw ruleset to block out icmp > floods and smurf attacts, etc thanks. For smurf attacks, I've done it 2 different ways before, assuming your local net is 192.168.0.0/24: # Permit traffic from local net 192.168.0.0/24 to broadcast addr. ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32 # Deny log traffic from outside local net to local broadcast ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0 or: # Deny log ICMP echo requests to broadcast from anywhere (1 line) ipfw add 2000 deny log icmp from any to 192.168.0.255/32 in via de0 icmptypes 8 Flood pinging is a bit more difficult. You probably can use DUMMYNET for this but I have never used it for that before, so I can't wave you in one direction or the other from using it. We block this garbage with our Cisco's so I'm not sure on it. But look in LINT at 'options ICMP_BANDLIM' or the sysctl switch. ******************************************************************* Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will nick@rapidnet.com want to use it. ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message