From owner-freebsd-security  Sun Jan 17 14:42:29 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA12457
          for freebsd-security-outgoing; Sun, 17 Jan 1999 14:42:29 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA12452
          for <freebsd-security@FreeBSD.ORG>; Sun, 17 Jan 1999 14:42:28 -0800 (PST)
          (envelope-from archie@whistle.com)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id OAA23529; Sun, 17 Jan 1999 14:41:18 -0800 (PST)
Received: from bubba.whistle.com( 207.76.205.7) by whistle.com via smap (V2.0)
	id xma023525; Sun, 17 Jan 99 14:41:02 -0800
Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id OAA21852; Sun, 17 Jan 1999 14:41:02 -0800 (PST)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199901172241.OAA21852@bubba.whistle.com>
Subject: Re: Small Servers - ICMP Redirect
In-Reply-To: <007701be4256$f01ff740$02c3fe90@cisco.com> from Justin Wolf at "Jan 17, 99 12:20:45 pm"
To: jjwolf@bleeding.com (Justin Wolf)
Date: Sun, 17 Jan 1999 14:41:02 -0800 (PST)
Cc: ben@rosengart.com, madrapour@hotmail.com, freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Justin Wolf writes:
> >> 2) About ICMP redirect messages, as I learned they could be used to make
> >> our network disconnected and somthing. What's the way to prevent this
> >> kind of attack? Does blocking this kind of ICMP on firewall and routers
> >> cause any problem in connectivity and system behavior?
> >
> >I would block these messages from entering my network, absolutely.
> 
> Keep in mind that flatly blocking all ICMP messages will prevent traces and
> pings both in and out of your network.  It will also effect certain
> services...  The best way to tailor this is to block everything and loosen
> it up as necessary to keep things from breaking.

This is the ICMP rule we generally use:

  ipfw add 10 allow icmp from any to any in icmptypes 0,3,4,11,12,14,16,18

This allows "safe" ICMP's to get in, so that ping, traceroute, etc.
work, while blocking potentially unsafe ICMP's.

See /sys/netinet/ip_icmp.h for definitions of the ICMP types.

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message