From owner-freebsd-security Thu Aug 17 3:52: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from small-2.inet.it (small-2.inet.it [194.20.8.11]) by hub.freebsd.org (Postfix) with ESMTP id DE06037B88B for ; Thu, 17 Aug 2000 03:51:36 -0700 (PDT) Received: (from trusted@localhost) by small-2.inet.it (AIX4.3/8.9.3/8.9.3) id LAA138782; Thu, 17 Aug 2000 11:28:19 +0200 Received: from sonoro.inet.it(194.185.73.48) by small-2.inet.it via I-SMTP id queue/s-194.185.73.48-eth8Ma; Thu Aug 17 11:28:17 2000 Message-ID: <399BB063.EB511C8A@inet.it> Date: Thu, 17 Aug 2000 11:29:07 +0200 From: Manfredi Blasucci X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: it, en MIME-Version: 1.0 To: "Rashid N. Achilov" Cc: Erick Mechler , freebsd-security@FreeBSD.ORG Subject: Re: deny incoming icmp References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rashid N. Achilov" wrote: > > Sorry, more precision... > > I have a firewall, protecting my network. IPFIREWALL, IPFIREWALL_VERBOSE, IPFIREWALL_FORWARD > enabled. What can I allow icmp from our network any deny/fake incoming to our network icmp? > -- Try with those: ${fwcmd} add allow log icmp from any to $ip via $eth out ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 0 <- Echo Reply ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 3 <- Destination Unreachable ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 8 <- Echo ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 11 <- Time Exceded ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 12 <- Parameter Problem See also http://www.sys-security.com/archive/papers/ICMP_Scanning.pdf. Bye, Manf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message