From owner-freebsd-security Mon Feb 5 17:38:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from usc.edu (usc.edu [128.125.253.136]) by hub.freebsd.org (Postfix) with ESMTP id 3556537B491; Mon, 5 Feb 2001 17:38:34 -0800 (PST) Received: from scf-fs.usc.edu (root@scf-fs.usc.edu [128.125.253.183]) by usc.edu (8.9.3.1/8.9.3/usc) with ESMTP id RAA26327; Mon, 5 Feb 2001 17:38:34 -0800 (PST) Received: from phoenix (res-4097.usc.edu [128.125.235.95]) by scf-fs.usc.edu (8.9.3.1/8.9.3/usc) with SMTP id RAA28862; Mon, 5 Feb 2001 17:38:33 -0800 (PST) From: "Khairuddin Ghani" To: , Subject: dynamic ipfw ruleset to deny outgoing icmp attacks Date: Mon, 5 Feb 2001 17:40:57 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there. I have a 4.2-S machine which lacks an upstream firewall to the net. While letting FreeBSD's ICMP_BANDLIM to do its work, I want to also be able to disallow users to send outgoing ICMP packets with malicious intent, while also allowing innocent users to be able to use ping(8)/etc. How would I set up my ipfw ruleset for this scenario, if possible? Also, what other concerns should I have regarding other net protocols to avoid incoming/outgoing attacks? Regards and thanks, Khairuddin. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message