Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Nov 2000 23:40:17 +0100
From:      Arjan.deVet@adv.iae.nl (Arjan de Vet)
To:        tmd@tmd.df.ru
Cc:        security@freebsd.org
Subject:   Re: ipf - icmp
Message-ID:  <20001123234017.A66597@adv.devet.org>
In-Reply-To: <Pine.BSF.4.21.0011231431360.18361-100000@tmd.df.ru>
References:  <Pine.BSF.4.21.0011231135060.75171-100000@libertad.univalle.edu.co>
next in thread | previous in thread | raw e-mail | index | archive | help 
In article <Pine.BSF.4.21.0011231431360.18361-100000@tmd.df.ru> you write:

>Perhaps there are other rules that follow before/after 
>that supercede the icmp ones. Try using "quick" option.
>
>pass in quick on sis0 proto icmp from any to any icmp-type 0
>pass in quick on sis0 proto icmp from any to any icmp-type unreach code 3
>pass in quick on sis0 proto icmp from any to any icmp-type unreach code 4
>pass in quick on sis0 proto icmp from any to any icmp-type timex  
>pass out quick on sis0 proto icmp from any to any
>
>these entries will allow you to ping/traceroute anyone, will prohibit
>anyone from pinging/tracerouting you.

The following set of rules will accomplish the same in a better way:

    pass out quick on sis0 proto udp from any to any keep state keep frags
    pass out quick on sis0 proto icmp from any to any keep state keep frags

The trick is to use 'keep state' on outgoing traceroute/ping udp/icmp
packets. ipfilter will match any incoming icmp packets with the state
table in an intelligent way. This means that an incoming icmp packet
will only be allowed through if it matches with a traceroute/ping that
originated from your machine. E.g., a fake icmp echo-reply will be
blocked.

I have no 'pass in' rules regarding icmp on my firewall, the ipfilter
state table handles all incoming icmp traffic automatically.

Arjan

-- 
Arjan de Vet, Eindhoven, The Netherlands              <Arjan.deVet@adv.iae.nl>
URL: http://www.iae.nl/users/devet/           for PGP key: finger devet@iae.nl


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001123234017.A66597>