From owner-freebsd-questions@FreeBSD.ORG Fri Jul 28 07:24:51 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B163016A4DF for ; Fri, 28 Jul 2006 07:24:51 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from matrix.teledomenet.gr (dns1.teledomenet.gr [213.142.128.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7130143D82 for ; Fri, 28 Jul 2006 07:24:42 +0000 (GMT) (envelope-from nvass@teledomenet.gr) Received: from iris ([192.168.1.71]) by matrix.teledomenet.gr (8.12.10/8.12.10) with ESMTP id k6S7OeEY021611; Fri, 28 Jul 2006 10:24:40 +0300 From: Nikos Vassiliadis To: freebsd-questions@freebsd.org Date: Fri, 28 Jul 2006 10:22:34 +0300 User-Agent: KMail/1.9.1 References: <20060728001202.W17979@ganymede.hub.org> In-Reply-To: <20060728001202.W17979@ganymede.hub.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200607281022.34464.nvass@teledomenet.gr> Cc: User Freebsd Subject: Re: icmp packets - disabling via sysctl, or cisco switch ... ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 07:24:51 -0000 On Friday 28 July 2006 06:15, User Freebsd wrote: > Two part question here ... > > first part ... is there a way of just disabling icmp by setting a sysctl, > so that a server just doesn't respond to them? No. You can do this using the firewall of your choice ipfw example ipfw add deny icmp from any to any ipfw add allow ip from any to any (not much intelligence in these rules, but this is what you asked for) keep in my mind that ipfw blocks everything by default (**you will be locked out of the box**) so do this locally or follow the instructions in the manual on how to load the ipfw kernel module. There are some things you can do with sysctls and ICMP: root@brad:0:~# sysctl -d net.inet.icmp net.inet.icmp: ICMP net.inet.icmp.maskrepl: Reply to ICMP Address Mask Request packets. net.inet.icmp.stats: net.inet.icmp.icmplim: Maximum number of ICMP responses per second net.inet.icmp.maskfake: Fake reply to ICMP Address Mask Request packets. net.inet.icmp.drop_redirect: Ignore ICMP redirects net.inet.icmp.log_redirect: Log ICMP redirects to the console net.inet.icmp.icmplim_output: Enable rate limiting of ICMP responses net.inet.icmp.reply_src: icmp reply source for non-local packets. net.inet.icmp.reply_from_interface: ICMP reply from incoming interface for non-local packets net.inet.icmp.quotelen: Number of bytes from original packet to quote in ICMP reply net.inet.icmp.bmcastecho: