From owner-freebsd-security Tue Jun 27 10:23:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from lunatic.oneinsane.net (lunatic.oneinsane.net [207.113.133.231]) by hub.freebsd.org (Postfix) with ESMTP id A125137B773 for ; Tue, 27 Jun 2000 10:23:43 -0700 (PDT) (envelope-from insane@lunatic.oneinsane.net) Received: by lunatic.oneinsane.net (Postfix, from userid 1000) id 3E68315543; Tue, 27 Jun 2000 10:23:39 -0700 (PDT) Date: Tue, 27 Jun 2000 10:23:39 -0700 From: Ron 'The InSaNe One' Rosson To: Paul Hart Cc: Salvo Bartolotta , freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <20000627102339.B861@lunatic.oneinsane.net> Reply-To: Ron Rosson Mail-Followup-To: Paul Hart , Salvo Bartolotta , freebsd-security@FreeBSD.ORG References: <20000627.17395900@bartequi.ottodomain.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from hart@iserver.com on Tue, Jun 27, 2000 at 11:07:00AM -0600 X-Operating-System: FreeBSD lunatic.oneinsane.net 4.0-STABLE X-Moon: The Moon is Waning Crescent (23% of Full) X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM X-WWW: http://www.oneinsane.net X-PGP-KEY: http://www.oneinsane.net/~insane/insane2-pgp5i.txt X-Uptime: 10:22AM up 4 days, 10:29, 1 user, load averages: 0.00, 0.03, 0.00 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 27 Jun 2000, Paul Hart was heard blurting out: > On Tue, 27 Jun 2000, Salvo Bartolotta wrote: > > > Well, actually, my homebox will behave, as it were, like a Klingon > > spaceship: for example, it will normally deny **all** icmptypes except > > type 3 code 4 (DF). When I need to ping, traceroute, etc., I will > > *temporarily* remove some restrictions. > > If you are using IP Filter, why not let it do the work for you? > > It is very easy to set up a "cloaked" firewall machine like you describe > with IP Filter. In this situation, you can easily block all incoming > ICMP/UDP/TCP packets as a general rule and rely entirely on IP Filter > setting state rules for connections, traceroutes, or pings that were > initiated from behind the firewall. That will let traceroute and ping > automatically work from behind the firewall out to hosts outside the > firewall, but you are otherwise 100% invisible to any other host on the > Internet. > > Paul Hart > I would love to see your rule set that accomplishes this on a gateway firewall. (No NAT) TIA -- ------------------------------------------------------------------------------ Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------------------ Instant sex will never be better than the kind you have to peel and cook. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message