Date: Tue, 27 Jun 2000 11:18:36 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: dmartin@origen.com (Richard Martin) Cc: bartequi@inwind.it (Salvo Bartolotta), freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <200006271818.LAA92561@gndrsh.dnsmgr.net> In-Reply-To: <3958E1C5.18593553@origen.com> from Richard Martin at "Jun 27, 2000 10:17:57 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> Add: > > /sbin/ipfw add pass icmp from ${oip} to any icmptypes ${icmpallow} > /sbin/ipfw add pass icmp from any to ${oip} icmptypes ${icmpallow} > /sbin/ipfw add deny log icmp from any to any > > this lets the firewall machine ping in and out (used by Big Brother), but > stops those not very useful, and blocks all ICMP to other machines past > the firewall > > Substitute in the ICMP types you want to allow each way, you can specify > different ones both in and out. > > We use > > icmpallow="0,3,4,5,8,11,12,14,16,18" > > I wonder if anyone has any comments on the appropriateness of these > 4=ICMP_SOURCEQUENCH, useless as most machines ignore it, can be abused easily. 5=ICMP_REDIRECT, you don't want that one can be used to redirect traffic to unwanted places. 14=ICMP_TSTAMPREPLY, useless without 13=ICMP_TSTAMP. 18=ICMP_MASKREPLY, useless without 17=ICMP_MASKREQ We usually run icmpallow="0,3,8,11" with special rules to allow 5 on the inside only. We don't allow 12, and we don't see hits due to this, except for abuse. Complete rule set looks like this: 01000 23000 1969619 allow icmp from any to any icmptype 0,3,4,8,11 01010 0 0 allow icmp from any to any via dc0 icmptype 5 01010 0 0 allow icmp from any to any via dc1 icmptype 5 01010 0 0 allow icmp from any to any via dc2 icmptype 5 01010 0 0 allow icmp from any to any via dc3 icmptype 5 01020 0 0 deny log logamount 100 icmp from any to any (Note that the counts are not very high here, due to data collection resetting the rules ever few hour.) -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006271818.LAA92561>