From owner-freebsd-isp Fri Jul 2 10:35: 2 1999 Delivered-To: freebsd-isp@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id 6C7F01562C for ; Fri, 2 Jul 1999 10:35:00 -0700 (PDT) (envelope-from julian@whistle.com) Received: from current1.whistle.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.9.1a/8.9.1) with SMTP id KAA27927; Fri, 2 Jul 1999 10:34:51 -0700 (PDT) Date: Fri, 2 Jul 1999 10:34:49 -0700 (PDT) From: Julian Elischer To: Rowan Crowe Cc: freebsd-isp@FreeBSD.ORG Subject: Re: ipfw - can it deny ICMP "3.2" (type 3, subtype 2)? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 10 Jun 1994, Rowan Crowe wrote: > Hi all, > > In the process of using tcpdump to check that traffic was flowing through > the correct links after some routing changes, I noticed an attack on one > of my users... > > 12:55:34.711241 193.230.186.164 > 203.20.114.159: icmp: 207.114.0.144 protocol 6 unreachable > > I added in a temporary ipfw block to deny and log anything from that IP: > > Jul 2 12:55:58 satin /kernel: ipfw: 1 Deny ICMP:3.2 193.230.186.164 203.20.114.159 in via ppp0 > Jul 2 12:56:25 satin last message repeated 1736 times > > As this is a reasonably common attack and fairly simplistic in nature I > thought I might be able to get ipfw to block it. However, after some head > scratching and reading of the man pages it seems that ipfw will not allow > me to block a "subtype" such as the '.2' in 3.2. > > satin# ipfw a 1 deny icmp from 1.2.3.4 to 1.2.3.4 icmptypes 3.2 > ipfw: error: invalid ICMP type > > I can't just blanket block type 3 as that's destination unreachable, which > generally is a legitimate ICMP message that should be passed. > > Any ideas? a patch to /sys/netinet/ip_fw.c that implements this and /usr/src/sbin/ipfw would not be too hard for you to write if you wanted that functionality, and we could certainly commit it if you did.. :-) julian > > Cheers. > > > -- > Rowan Crowe http://www.rowan.sensation.net.au/ > Sensation Internet Services http://www.sensation.net.au/ > Melbourne, Australia Phone: +61-3-9388-9260 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message