Date: Mon, 27 Oct 2003 00:57:46 -0800 From: Gregory Sutter <gsutter@zer0.org> To: Brett Glass <brett@lariat.org> Cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? Message-ID: <20031027085746.GD98272@klapaucius.zer0.org> In-Reply-To: <200310270731.AAA23485@lariat.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 2003-10-27 00:31 -0700, Brett Glass <brett@lariat.org> wrote: > We're being ping-flooded by the Nachi worm, which probes subnets for > systems to attack by sending 92-byte ping packets. Unfortunately, > IPFW doesn't seem to have the ability to filter packets by length. > Assuming that I stick with IPFW, what's the best way to stem the > tide? You could filter by icmptype, with the result that no ICMP ECHO packets would transit your firewall (i.e. ping stops working). Here is what I use on one of my hosts. Comments welcome. # icmp # echo reply, dest unreach, redirect, echo request, ttl exceeded $fwcmd add 07000 allow icmp from me to any out xmit $eth icmptypes 0,3,5,8,11 # echo reply, dest unreach, echo request, ttl exceeded $fwcmd add 07010 allow icmp from any to me in recv $eth icmptypes 0,3,8,11 (The remainder are denied by default.) Greg -- Gregory S. Sutter It is no measure of health to be mailto:gsutter@zer0.org well adjusted to a profoundly http://zer0.org/~gsutter/ sick society. --Krishamurti [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iD8DBQE/nN4KIBUx1YRd/t0RArTFAJ9nwq3BBIkx424hG8TlHFK03B9iSwCfbLWI 8ZoLfiUn38BtvGkTRVH8GvE= =cf8d -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031027085746.GD98272>