Date: Thu, 17 Aug 2000 02:25:06 -0400 (EDT) From: <scanner@jurai.net> To: Erick Mechler <emechler@sendmail.com> Cc: "Rashid N. Achilov" <achilov@granch.ru>, freebsd-security@FreeBSD.ORG Subject: Re: deny incoming icmp Message-ID: <Pine.BSF.4.21.0008170215520.6953-100000@sasami.jurai.net> In-Reply-To: <20000816221521.B23432@sendmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 16 Aug 2000, Erick Mechler wrote:
> First you have to enable firewalling code in your kernel. Once you've done
> that, the following two ipfw rules should do what you want:
>
> ipfw add deny icmp from any to any
> ipfw add allow icmp from ${oip} to any via ${oif}
>
> where ${oip} is the IP address of your outside interface, and ${oif} is the
> outside interface itself.
Ok I was going to make this private but I want this on public record.
Look people. You cannot just "flip off" ICMP without understanding the
consequences. The above is bad advice. If your going to filter ICMP
*do it correctly*. I see way to many post's today suggesting to just
filter ICMP entirely. FEH!
Read the following URL: http://users.worldgate.com/~marcs/mtu/
And then filter *correctly*. There very few reasons to place an embargo on
the entire ICMP protocol.
=============================================================================
-Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek
Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas
Home: scanner@deceptively.shady.org | http://open-systems.net
=============================================================================
WINDOWS: "Where do you want to go today?"
LINUX: "Where do you want to go tommorow?"
BSD: "Are you guys coming or what?"
=============================================================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008170215520.6953-100000>