Date: Thu, 17 Aug 2000 08:23:10 -0500 From: Richard Martin <dmartin@origen.com> To: Manfredi Blasucci <sonoro@inet.it> Cc: "Rashid N. Achilov" <achilov@granch.ru>, Erick Mechler <emechler@sendmail.com>, freebsd-security@FreeBSD.ORG Subject: Re: deny incoming icmp Message-ID: <399BE73E.5C380746@origen.com> References: <XFMail.000817160509.shelton@sentry.granch.ru> <399BB063.EB511C8A@inet.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Correct me if I am wrong, but wouldn't a single rule be faster?
/sbin/ipfw add pass icmp from ${oip} to any icmptypes 0,3,4,8,11,12 # outward
/sbin/ipfw add pass icmp from any to ${oip} icmptypes 0,3,4,11,12 # inward
( icmp type 4 is source quench)
and you may not want to log every ping, but know what isn't getting in
/sbin/ipfw add deny log icmp from any to any
>
> Try with those:
>
> ${fwcmd} add allow log icmp from any to $ip via $eth out
> ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 0 <- Echo Reply
> ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 3 <- Destination Unreachable
> ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 8 <- Echo
> ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 11 <- Time Exceded
> ${fwcmd} add allow log icmp from any to $ip via $eth in icmp 12 <- Parameter Problem
>
> See also http://www.sys-security.com/archive/papers/ICMP_Scanning.pdf.
>
> Bye,
> Manf
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Richard Martin dmartin@origen.com
OriGen, inc. Tel: +1 512 474 7278
2525 Hartford Rd. Fax: +1 512 708 8522
Austin, TX 78703 http://www.origen.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?399BE73E.5C380746>