Date: Fri, 25 Jun 2004 10:23:05 +1000 From: Mark Andrews <Mark_Andrews@isc.org> To: khoi@oddworld.com Cc: freebsd-stable@freebsd.org Subject: Re: Disallowing ping and traceroute from outside Message-ID: <200406250023.i5P0N5Rg055088@drugs.dv.isc.org> In-Reply-To: Your message of "Thu, 24 Jun 2004 16:50:36 MST." <HZU7KC00.4SF@luskan.oddworld.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi All, > > How do I configure ipfw2 to allow ping and traceroute from my internal > network to the outside but not the other way around? Ping is usually ICMP ECHO out, ICMP ECHO REPLY in. It can however be implemented using UDP/TCP or any other protocol in a similar manner to traceroute. All it requires is some response to be returned. Both "udpping" and "tcpping" exist. If you want to block traceroute don't offer *any* services to the outside world and use stateful rules for outgoing traffic. traceroute works by causing systems to generate ICMP TIME EXCEEDED. You really don't want to block that going out. Traceroute really is not bad, nor is ping. Both are useful diagnostic tools. What was bad was "directed broadcasts". This used to be done w/ ICMP ECHO requests which then responsed to by all the systems in the broadcast domain. When this was being done the only solution was "block ICMP"/"block ICMP ECHO". Mark > Thanks, > Khoi > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406250023.i5P0N5Rg055088>