Date: Fri, 28 Jul 2006 10:22:34 +0300 From: Nikos Vassiliadis <nvass@teledomenet.gr> To: freebsd-questions@freebsd.org Cc: User Freebsd <freebsd@hub.org> Subject: Re: icmp packets - disabling via sysctl, or cisco switch ... ? Message-ID: <200607281022.34464.nvass@teledomenet.gr> In-Reply-To: <20060728001202.W17979@ganymede.hub.org> References: <20060728001202.W17979@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 28 July 2006 06:15, User Freebsd wrote: > Two part question here ... > > first part ... is there a way of just disabling icmp by setting a sysctl, > so that a server just doesn't respond to them? No. You can do this using the firewall of your choice ipfw example ipfw add deny icmp from any to any ipfw add allow ip from any to any (not much intelligence in these rules, but this is what you asked for) keep in my mind that ipfw blocks everything by default (**you will be locked out of the box**) so do this locally or follow the instructions in the manual on how to load the ipfw kernel module. There are some things you can do with sysctls and ICMP: root@brad:0:~# sysctl -d net.inet.icmp net.inet.icmp: ICMP net.inet.icmp.maskrepl: Reply to ICMP Address Mask Request packets. net.inet.icmp.stats: net.inet.icmp.icmplim: Maximum number of ICMP responses per second net.inet.icmp.maskfake: Fake reply to ICMP Address Mask Request packets. net.inet.icmp.drop_redirect: Ignore ICMP redirects net.inet.icmp.log_redirect: Log ICMP redirects to the console net.inet.icmp.icmplim_output: Enable rate limiting of ICMP responses net.inet.icmp.reply_src: icmp reply source for non-local packets. net.inet.icmp.reply_from_interface: ICMP reply from incoming interface for non-local packets net.inet.icmp.quotelen: Number of bytes from original packet to quote in ICMP reply net.inet.icmp.bmcastecho:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607281022.34464.nvass>