From owner-freebsd-security  Thu Nov 23 14:40:57 2000
Delivered-To: freebsd-security@freebsd.org
Received: from news.IAEhv.nl (news.IAE.nl [194.151.64.4])
	by hub.freebsd.org (Postfix) with ESMTP id A82BB37B479
	for <security@freebsd.org>; Thu, 23 Nov 2000 14:40:54 -0800 (PST)
Received: (from uucp@localhost)
	by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id XAA08534;
	Thu, 23 Nov 2000 23:40:53 +0100 (MET)
Received: by adv.devet.org (Postfix, from userid 100)
	id 3EB5A44AD; Thu, 23 Nov 2000 23:40:17 +0100 (CET)
Date: Thu, 23 Nov 2000 23:40:17 +0100
To: tmd@tmd.df.ru
Cc: security@freebsd.org
Subject: Re: ipf - icmp
Message-ID: <20001123234017.A66597@adv.devet.org>
References: <Pine.BSF.4.21.0011231135060.75171-100000@libertad.univalle.edu.co>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-Newsgroups: list.freebsd.security
In-Reply-To: <Pine.BSF.4.21.0011231431360.18361-100000@tmd.df.ru>
Organization: Eindhoven, the Netherlands
From: Arjan.deVet@adv.iae.nl (Arjan de Vet)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In article <Pine.BSF.4.21.0011231431360.18361-100000@tmd.df.ru> you write:

>Perhaps there are other rules that follow before/after 
>that supercede the icmp ones. Try using "quick" option.
>
>pass in quick on sis0 proto icmp from any to any icmp-type 0
>pass in quick on sis0 proto icmp from any to any icmp-type unreach code 3
>pass in quick on sis0 proto icmp from any to any icmp-type unreach code 4
>pass in quick on sis0 proto icmp from any to any icmp-type timex  
>pass out quick on sis0 proto icmp from any to any
>
>these entries will allow you to ping/traceroute anyone, will prohibit
>anyone from pinging/tracerouting you.

The following set of rules will accomplish the same in a better way:

    pass out quick on sis0 proto udp from any to any keep state keep frags
    pass out quick on sis0 proto icmp from any to any keep state keep frags

The trick is to use 'keep state' on outgoing traceroute/ping udp/icmp
packets. ipfilter will match any incoming icmp packets with the state
table in an intelligent way. This means that an incoming icmp packet
will only be allowed through if it matches with a traceroute/ping that
originated from your machine. E.g., a fake icmp echo-reply will be
blocked.

I have no 'pass in' rules regarding icmp on my firewall, the ipfilter
state table handles all incoming icmp traffic automatically.

Arjan

-- 
Arjan de Vet, Eindhoven, The Netherlands              <Arjan.deVet@adv.iae.nl>
URL: http://www.iae.nl/users/devet/           for PGP key: finger devet@iae.nl


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message