From owner-freebsd-isp Thu Jul 1 20:11: 5 1999 Delivered-To: freebsd-isp@freebsd.org Received: from velvet.sensation.net.au (serial0-velvet.Brunswick.sensation.net.au [203.20.114.195]) by hub.freebsd.org (Postfix) with ESMTP id 0F89314BC9 for ; Thu, 1 Jul 1999 20:10:51 -0700 (PDT) (envelope-from rowan@sensation.net.au) Received: from localhost (rowan@localhost) by velvet.sensation.net.au (8.8.8/8.8.8) with SMTP id TAA11277 for ; Fri, 10 Jun 1994 19:29:21 +1000 (EST) (envelope-from rowan@sensation.net.au) X-Authentication-Warning: velvet.sensation.net.au: rowan owned process doing -bs Date: Fri, 10 Jun 1994 19:29:20 +1000 (EST) From: Rowan Crowe To: freebsd-isp@freebsd.org Subject: ipfw - can it deny ICMP "3.2" (type 3, subtype 2)? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, In the process of using tcpdump to check that traffic was flowing through the correct links after some routing changes, I noticed an attack on one of my users... 12:55:34.711241 193.230.186.164 > 203.20.114.159: icmp: 207.114.0.144 protocol 6 unreachable I added in a temporary ipfw block to deny and log anything from that IP: Jul 2 12:55:58 satin /kernel: ipfw: 1 Deny ICMP:3.2 193.230.186.164 203.20.114.159 in via ppp0 Jul 2 12:56:25 satin last message repeated 1736 times As this is a reasonably common attack and fairly simplistic in nature I thought I might be able to get ipfw to block it. However, after some head scratching and reading of the man pages it seems that ipfw will not allow me to block a "subtype" such as the '.2' in 3.2. satin# ipfw a 1 deny icmp from 1.2.3.4 to 1.2.3.4 icmptypes 3.2 ipfw: error: invalid ICMP type I can't just blanket block type 3 as that's destination unreachable, which generally is a legitimate ICMP message that should be passed. Any ideas? Cheers. -- Rowan Crowe http://www.rowan.sensation.net.au/ Sensation Internet Services http://www.sensation.net.au/ Melbourne, Australia Phone: +61-3-9388-9260 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message