Date: Thu, 17 Aug 2000 02:25:06 -0400 (EDT) From: <scanner@jurai.net> To: Erick Mechler <emechler@sendmail.com> Cc: "Rashid N. Achilov" <achilov@granch.ru>, freebsd-security@FreeBSD.ORG Subject: Re: deny incoming icmp Message-ID: <Pine.BSF.4.21.0008170215520.6953-100000@sasami.jurai.net> In-Reply-To: <20000816221521.B23432@sendmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 16 Aug 2000, Erick Mechler wrote: > First you have to enable firewalling code in your kernel. Once you've done > that, the following two ipfw rules should do what you want: > > ipfw add deny icmp from any to any > ipfw add allow icmp from ${oip} to any via ${oif} > > where ${oip} is the IP address of your outside interface, and ${oif} is the > outside interface itself. Ok I was going to make this private but I want this on public record. Look people. You cannot just "flip off" ICMP without understanding the consequences. The above is bad advice. If your going to filter ICMP *do it correctly*. I see way to many post's today suggesting to just filter ICMP entirely. FEH! Read the following URL: http://users.worldgate.com/~marcs/mtu/ And then filter *correctly*. There very few reasons to place an embargo on the entire ICMP protocol. ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008170215520.6953-100000>