Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Jun 2000 11:18:36 -0700 (PDT)
From:      "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
To:        dmartin@origen.com (Richard Martin)
Cc:        bartequi@inwind.it (Salvo Bartolotta), freebsd-security@FreeBSD.ORG
Subject:   Re: icmp type 3 code 4: a couple of questions
Message-ID:  <200006271818.LAA92561@gndrsh.dnsmgr.net>
In-Reply-To: <3958E1C5.18593553@origen.com> from Richard Martin at "Jun 27, 2000 10:17:57 am"
next in thread | previous in thread | raw e-mail | index | archive | help 

> Add:
> 
>     /sbin/ipfw add pass icmp from ${oip} to any icmptypes ${icmpallow}
>     /sbin/ipfw add pass icmp from any to ${oip} icmptypes ${icmpallow}
>     /sbin/ipfw add deny log icmp from any to any
> 
> this lets the firewall machine ping in and out (used by Big Brother), but
> stops those not very useful, and blocks all ICMP to other machines past
> the firewall
> 
> Substitute in the ICMP types you want to allow each way, you can specify
> different  ones both in and out.
> 
> We use
> 
>     icmpallow="0,3,4,5,8,11,12,14,16,18"
> 
> I wonder if anyone has any comments on the appropriateness of these
> 

4=ICMP_SOURCEQUENCH, useless as most machines ignore it, can be
	abused easily.
5=ICMP_REDIRECT, you don't want that one can be used to redirect
	traffic to unwanted places.
14=ICMP_TSTAMPREPLY, useless without 13=ICMP_TSTAMP.
18=ICMP_MASKREPLY, useless without 17=ICMP_MASKREQ

We usually run
icmpallow="0,3,8,11"
with special rules to allow 5 on the inside only.
We don't allow 12, and we don't see hits due to this, except for abuse.

Complete rule set looks like this:
01000   23000   1969619 allow icmp from any to any icmptype 0,3,4,8,11
01010       0         0 allow icmp from any to any via dc0 icmptype 5
01010       0         0 allow icmp from any to any via dc1 icmptype 5
01010       0         0 allow icmp from any to any via dc2 icmptype 5
01010       0         0 allow icmp from any to any via dc3 icmptype 5
01020       0         0 deny log logamount 100 icmp from any to any

(Note that the counts are not very high here, due to data collection
resetting the rules ever few hour.)

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006271818.LAA92561>