From owner-freebsd-security  Fri Oct 19  7:41:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from blacklamb.mykitchentable.net (ekgr-dsl2-116.citlink.net [207.173.226.116])
	by hub.freebsd.org (Postfix) with ESMTP id 4612837B405
	for <freebsd-security@FreeBSD.ORG>; Fri, 19 Oct 2001 07:41:31 -0700 (PDT)
Received: from tagalong (unknown [165.107.42.205])
	by blacklamb.mykitchentable.net (Postfix) with SMTP
	id 1461DEE623; Fri, 19 Oct 2001 07:41:30 -0700 (PDT)
Message-ID: <002d01c158ac$23f34810$cd2a6ba5@lc.ca.gov>
From: "Drew Tomlinson" <drew@mykitchentable.net>
To: "Jamie Norwood" <mistwolf@mushhaven.net>,
	"Colin Percival" <colin.percival@wadham.ox.ac.uk>
Cc: <freebsd-security@FreeBSD.ORG>
References: <003101c1589e$061ceac0$0301a8c0@bigdaddy> <20011019091840.A15330@mushhaven.net>
Subject: Re: OT: Data Packet Filters?
Date: Fri, 19 Oct 2001 07:41:29 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

----- Original Message -----
From: "Jamie Norwood" <mistwolf@mushhaven.net>
To: "Drew Tomlinson" <drew@mykitchentable.net>
Sent: Friday, October 19, 2001 6:18 AM
Subject: Re: OT: Data Packet Filters?


> On Fri, Oct 19, 2001 at 06:00:27AM -0700, Drew Tomlinson wrote:
> > I'm hoping someone on this list will share his/her knowledge with me
> > even though this is somewhat off-topic.  :)
> >
> > I am trying to deny ICMP echo reply packets on my 3Com 812 ADSL
> > modem/router.  It appears that the only way to do this is to write a
> > data filter.  The fields I need to determine are offset (bytes -
which
> > I thought was 36 for ICMP code), length (bytes - I thought 1),
Masked
> > (hex - appears that FF is to match data exactly), and data (hex - I
> > thought 0x0 echo reply).
> >
> > Can anyone get me pointed in the right direction?  Any help or URLs
> > will be most appreciated.
>
> Why not set up a firewall with NAT?

My network setup is like this:

       ISP
        |
        | IP is DHCP (RFC 1918 & draft-manning nets
        |             inbound blocked here)
        |
 ADSL Modem/Router (provides DNS & NAT)
        |192.168.10.1 RFC 1918 & draft-manning nets
        |             outbound blocked here)
        |
        |192.168.10.2 (ed1)
     Firewall
        |
        |192.168.1.2 (ed0)
        |
Internal Network 192.168.1.0/24

The modem/router forwards all traffic to the firewall but will respond
to ICMP messages on its own.  Thus I need to stop unwanted ICMP traffic
at the modem/router.  The modem/router will allow me to easily block
*all* ICMP traffic but from what I've read, this is not a good thing.
So the only way I can accomplish this (AFAIK) is to create a data packet
filter on the modem/router to allow packets with ICMP type (what I want)
rule first and then reject the rest.

Thanks,

Drew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message