From owner-freebsd-security@FreeBSD.ORG  Thu Sep  2 17:05:30 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A48CD16A4CE
	for <freebsd-security@freebsd.org>;
	Thu,  2 Sep 2004 17:05:30 +0000 (GMT)
Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3F76E43D5F
	for <freebsd-security@freebsd.org>;
	Thu,  2 Sep 2004 17:05:30 +0000 (GMT)	(envelope-from kdk@daleco.biz)
Received: from [69.27.131.0] ([69.27.131.0]) by ns1.tiadon.com with Microsoft
	SMTPSVC(6.0.3790.0);	 Thu, 2 Sep 2004 12:04:56 -0500
Message-ID: <413752D6.4060100@daleco.biz>
Date: Thu, 02 Sep 2004 12:05:26 -0500
From: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040712
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Dave <mudman@metafocus.net>
References: <20040901203202.U31170@metafocus.net>
In-Reply-To: <20040901203202.U31170@metafocus.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 02 Sep 2004 17:04:57.0313 (UTC)
	FILETIME=[F9680510:01C4910E]
cc: freebsd-security@freebsd.org
Subject: Re: IPFW and icmp
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2004 17:05:30 -0000

Dave wrote:

>I'm not a master of the internet RFCs, but I do believe icmp messages have
>different types.
>
>Now to enable traceroute for IPFW, I might put in a rule like this:
>
>ipfw add pass icmp from any to me
>
>However, how would I make a rule to limit icmp messages to just those used
>by traceroute?  Can the messages be distinguished as such?
>
>  
>

I use, thus far, "allow icmp from any to any icmptypes 0,3,4,8,11".  That
include 'echo request', of course.  Someone else may have a better idea.

>A dynamic rule that exists only for the duration of a traceroute execution
>would be even better.  I take it 'setup' or 'check-state' would follow in
>that case?
>
>  
>
Seems likely. *sigh* one more manpage to read.... ;-)

Kevin Kinsey