From owner-freebsd-security  Mon Oct  1 13:29:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74])
	by hub.freebsd.org (Postfix) with ESMTP id 57FD337B40A
	for <security@FreeBSD.ORG>; Mon,  1 Oct 2001 13:29:47 -0700 (PDT)
Received: from blossom.cjclark.org (dialup-209.245.140.234.Dial1.SanJose1.Level3.net [209.245.140.234])
	by falcon.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f91KSZC07364;
	Mon, 1 Oct 2001 13:28:39 -0700 (PDT)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id f91KPpw01131;
	Mon, 1 Oct 2001 13:25:51 -0700 (PDT)
	(envelope-from cjc)
Date: Mon, 1 Oct 2001 13:25:28 -0700
From: "Crist J. Clark" <cristjc@earthlink.net>
To: "Karsten W. Rohrbach" <karsten@rohrbach.de>
Cc: gkshenaut@ucdavis.edu, security@FreeBSD.ORG
Subject: Re: How to config IPFW for enable ping and traceroute
Message-ID: <20011001132528.C304@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com> <200109271736.f8RHZrA20332@thistle.bogs.org> <20010929013148.B37579@mail.webmonster.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010929013148.B37579@mail.webmonster.de>; from karsten@rohrbach.de on Sat, Sep 29, 2001 at 01:31:48AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sat, Sep 29, 2001 at 01:31:48AM +0200, Karsten W. Rohrbach wrote:
> stateful rules woud be better, i don't know if this can be done with
> ipfw (but i guess it should work somehow).

There isn't really a good way to do it with dynamic rules in ipfw(8).

> that's the ipfilter config for getting traceroute to work, for those who
> are interested...
> 

> # traceroute=30
> pass in quick proto icmp from any to 0.0.0.0/32 icmp-type 30 keep state
> pass out quick proto icmp from 0.0.0.0/32 to any icmp-type 30 keep state

If you actually find a traceroute program that uses the RFC1393
protocol, I'd like to see it.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message