From owner-freebsd-security Sat Jul 18 14:41:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA01715 for freebsd-security-outgoing; Sat, 18 Jul 1998 14:41:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA01695 for ; Sat, 18 Jul 1998 14:41:19 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id JAA04449; Sun, 19 Jul 1998 09:40:34 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sun, 19 Jul 1998 09:40:34 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Hallam Oaks P/L list account cc: "freebsd-security@FreeBSD.ORG" Subject: Re: rc.firewall (was Re: Large-scale scan of SNMP ports) In-Reply-To: <199807180456.OAA04248@mail.aussie.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 18 Jul 1998, Hallam Oaks P/L list account wrote: > ############################################################################### > # ALLOW ICMP ENTRIES > ############################################################################### > > # Allow ICMP from our local network - so PC's can ping things on the 'net > # Makes the us and the PC's vunerable to certain types of attacks > > # It would be nice if IPFW had the ability to 'see' an outgoing ICMP echo request, > # (which we could enable in one direction only), and then optionally automatically > # enable incoming ICMP to the sending IP address for a specified # of seconds. > # But it can't so we just leave it on all the time ... > $fwcmd add pass icmp from any to any I've just gotten to looking at icmp. I left this in overnight: 40000 28 2320 allow log icmp from any to xx.xx.xx.xx 40010 5 1032 allow log icmp from xx.xx.xx.xx to any where xx.xx.xx.xx is my machine's ip. what I've gotten back show's ICMP:11.0 packets coming in from local and distant routers, with no outgoing reply, and ICMP:4.0 and ICMP:8.0 packets coming in with an ICMP:0.0 reply to each. So far I don't understand a lot of what I found in icmp.h about these codes, so presumably I'll have to dig out the appropriate RFC in order to get a broader understanding of what icmp does and what I want to concern myself with. ------------------- # might be useful to someone # log incoming pings allow log icmp from any to xx.xx.xx.xx icmptype 8 # picks up traceroute probes, but probably other things as well allow log icmp from xx.xx.xx.xx to any icmptype 3 # this one will pick up a standard unix traceroute, but a doctored one # could use other ports allow udp from xx.xx.xx.xx to any 33400-33499 -------------------- Can anyone explain this... Took place within a second while I've been writing this, repeated 2 minutes later. yy.yy.yy.yy is a distant remote host ipfw: 40000 Accept ICMP:8.0 yy.yy.yy.yy xx.xx.xx.xx in via de0 ipfw: 40000 Accept ICMP:166.79 yy.yy.yy.yy xx.xx.xx.xx in via de0 Fragment = 69 ipfw: 40010 Accept ICMP:0.0 xx.xx.xx.xx yy.yy.yy.yy out via de0 Is the 79 in the middle line the port number of a fragmented packet? There's been some stuff about finger and nis lately. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message