Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 19 Oct 2001 07:41:29 -0700
From:      "Drew Tomlinson" <drew@mykitchentable.net>
To:        "Jamie Norwood" <mistwolf@mushhaven.net>, "Colin Percival" <colin.percival@wadham.ox.ac.uk>
Cc:        <freebsd-security@FreeBSD.ORG>
Subject:   Re: OT: Data Packet Filters?
Message-ID:  <002d01c158ac$23f34810$cd2a6ba5@lc.ca.gov>
References:  <003101c1589e$061ceac0$0301a8c0@bigdaddy> <20011019091840.A15330@mushhaven.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
----- Original Message -----
From: "Jamie Norwood" <mistwolf@mushhaven.net>
To: "Drew Tomlinson" <drew@mykitchentable.net>
Sent: Friday, October 19, 2001 6:18 AM
Subject: Re: OT: Data Packet Filters?


> On Fri, Oct 19, 2001 at 06:00:27AM -0700, Drew Tomlinson wrote:
> > I'm hoping someone on this list will share his/her knowledge with me
> > even though this is somewhat off-topic.  :)
> >
> > I am trying to deny ICMP echo reply packets on my 3Com 812 ADSL
> > modem/router.  It appears that the only way to do this is to write a
> > data filter.  The fields I need to determine are offset (bytes -
which
> > I thought was 36 for ICMP code), length (bytes - I thought 1),
Masked
> > (hex - appears that FF is to match data exactly), and data (hex - I
> > thought 0x0 echo reply).
> >
> > Can anyone get me pointed in the right direction?  Any help or URLs
> > will be most appreciated.
>
> Why not set up a firewall with NAT?

My network setup is like this:

       ISP
        |
        | IP is DHCP (RFC 1918 & draft-manning nets
        |             inbound blocked here)
        |
 ADSL Modem/Router (provides DNS & NAT)
        |192.168.10.1 RFC 1918 & draft-manning nets
        |             outbound blocked here)
        |
        |192.168.10.2 (ed1)
     Firewall
        |
        |192.168.1.2 (ed0)
        |
Internal Network 192.168.1.0/24

The modem/router forwards all traffic to the firewall but will respond
to ICMP messages on its own.  Thus I need to stop unwanted ICMP traffic
at the modem/router.  The modem/router will allow me to easily block
*all* ICMP traffic but from what I've read, this is not a good thing.
So the only way I can accomplish this (AFAIK) is to create a data packet
filter on the modem/router to allow packets with ICMP type (what I want)
rule first and then reject the rest.

Thanks,

Drew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002d01c158ac$23f34810$cd2a6ba5>