Date: Tue, 04 May 1999 05:30:10 GMT From: mike@sentex.net (Mike Tancsa) To: dwhite@resnet.uoregon.edu (Doug White) Cc: questions@freebsd.org Subject: Re: ICMP-attack Message-ID: <372e84d7.60848625@mail.sentex.net> In-Reply-To: <MAILPine.BSF.4.03.9905031318470.20321-100000@resnet.uoregon.edu> References: <372DEB73.71F97568@qatar.net.qa> <MAILPine.BSF.4.03.9905031318470.20321-100000@resnet.uoregon.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3 May 1999 16:22:58 -0400, in sentex.lists.freebsd.questions you wrote: >On Mon, 3 May 1999, Fadi Sodah wrote: > >> What is the best firewall configuration to make smurf >> and ICMPs attack useless? > >deny icmp from any to any Actually, you want to be far more specific than that. You only want to disable icmp echo requests e.g assuming your outside interface is fxp0 ipfw add deny icmp from any to any in recv fxp0 icmptype 0,8 or just icmptype 8 allow your users to request pings. However, the problem is that despite denying ping requests, the damage is already done so to speak. If you connection is a t3, and someone sends 45Mbs of echo packets at you, it will already have traversed your link before your gateway eats them. Best to get your upstream to do it for you. ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?372e84d7.60848625>