From owner-freebsd-security  Mon Dec 10  1:33:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126])
	by hub.freebsd.org (Postfix) with SMTP id DC69F37B417
	for <freebsd-security@FreeBSD.ORG>; Mon, 10 Dec 2001 01:33:40 -0800 (PST)
Received: (qmail 14003 invoked by uid 1000); 10 Dec 2001 09:32:49 -0000
Date: Mon, 10 Dec 2001 11:32:49 +0200
From: Peter Pentchev <roam@ringlet.net>
To: Jaron Omega <jaron@af-inet.net>
Cc: Mike D <d01f1n@yahoo.com>, freebsd-security@FreeBSD.ORG
Subject: Re: ICMP from within only
Message-ID: <20011210113249.D757@straylight.oblivion.bg>
Mail-Followup-To: Jaron Omega <jaron@af-inet.net>,
	Mike D <d01f1n@yahoo.com>, freebsd-security@FreeBSD.ORG
References: <20011210075231.JFSH3849.mta06-svc.ntlworld.com@there> <Pine.BSF.4.33.0112100100570.32121-100000@mail.af-inet.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.33.0112100100570.32121-100000@mail.af-inet.net>; from jaron@af-inet.net on Mon, Dec 10, 2001 at 01:10:05AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Dec 10, 2001 at 01:10:05AM -0800, Jaron Omega wrote:
> On Mon, 10 Dec 2001, Mike D wrote:
> 
> >Is it possible to define a rule that will allow through pings and
> >traceroutes, but only the ones initiated from within the firewall?
> >
> >Thanks for any advice!
> 
> Yes via 'icmptypes' attribute.
> 
> fwcmd = /sbin/ipfw  <- FreeBSD's firewall.
> 
> Allows YOU to ping, and run traceroute.
> $fwcmd add <number> allow icmp from any to <IP> via <device> icmptypes 0,3,11

Note that this alone will not really allow you to run traceroute.
This lets in the *response* packets; however, those responses will
never be generated unless you allow the outgoing traceroute packets.

For the Van Jacobson traceroute implementation (used in most modern
Unix-like OS's, including FreeBSD), you will need something like:

$fwcmd add <number> allow udp from <IP> to any 33400-33500 via <device>

The MS Windows traceroute uses ICMP ECHO (ping) packets, IIRC,
so the above rule for pings should work fine.

> Denies others to ping you.
> $fwcmd add <number> deny icmp from any to <IP> via <device> icmptypes 0,8
> 
> Allows pinging etc, from your personal network.
> $fwcmd add <number> allow icmp from <internal network> to <internal IP> via <device> icmptypes 0,8

As above, you might need to allow UDP packets with a destination
port range of 33400-33500 for VJ traceroute to work.

G'luck,
Peter

-- 
This sentence every third, but it still comprehensible.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message