From owner-freebsd-security Fri Nov 24 2:57:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id DCE7837B4CF for ; Fri, 24 Nov 2000 02:57:46 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA48760; Fri, 24 Nov 2000 11:57:40 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Vlad Cc: security@FreeBSD.ORG Subject: Re: ipf - icmp References: From: Dag-Erling Smorgrav Date: 24 Nov 2000 11:57:39 +0100 In-Reply-To: Vlad's message of "Thu, 23 Nov 2000 14:35:56 -0500 (EST)" Message-ID: Lines: 17 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Vlad writes: > pass in quick on sis0 proto icmp from any to any icmp-type 0 > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 3 > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 4 > pass in quick on sis0 proto icmp from any to any icmp-type timex > pass out quick on sis0 proto icmp from any to any > > these entries will allow you to ping/traceroute anyone, will prohibit > anyone from pinging/tracerouting you. No. There is no way to completely prevent someone from tracerouting you. You can make it slightly harder by blocking incoming UDP (which your ruleset does not), but that's about it. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message