From owner-freebsd-stable@FreeBSD.ORG Fri Jun 25 00:23:24 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 806E016A4CE for ; Fri, 25 Jun 2004 00:23:24 +0000 (GMT) Received: from farside.isc.org (farside.isc.org [204.152.187.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68E9B43D2F for ; Fri, 25 Jun 2004 00:23:24 +0000 (GMT) (envelope-from Mark_Andrews@isc.org) Received: from drugs.dv.isc.org (localhost [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by farside.isc.org (Postfix) with ESMTP id 4D391AB8F for ; Fri, 25 Jun 2004 00:23:08 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.12.11/8.12.11) with ESMTP id i5P0N5Rg055088; Fri, 25 Jun 2004 10:23:05 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200406250023.i5P0N5Rg055088@drugs.dv.isc.org> To: khoi@oddworld.com From: Mark Andrews In-reply-to: Your message of "Thu, 24 Jun 2004 16:50:36 MST." Date: Fri, 25 Jun 2004 10:23:05 +1000 Sender: Mark_Andrews@isc.org cc: freebsd-stable@freebsd.org Subject: Re: Disallowing ping and traceroute from outside X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jun 2004 00:23:24 -0000 > Hi All, > > How do I configure ipfw2 to allow ping and traceroute from my internal > network to the outside but not the other way around? Ping is usually ICMP ECHO out, ICMP ECHO REPLY in. It can however be implemented using UDP/TCP or any other protocol in a similar manner to traceroute. All it requires is some response to be returned. Both "udpping" and "tcpping" exist. If you want to block traceroute don't offer *any* services to the outside world and use stateful rules for outgoing traffic. traceroute works by causing systems to generate ICMP TIME EXCEEDED. You really don't want to block that going out. Traceroute really is not bad, nor is ping. Both are useful diagnostic tools. What was bad was "directed broadcasts". This used to be done w/ ICMP ECHO requests which then responsed to by all the systems in the broadcast domain. When this was being done the only solution was "block ICMP"/"block ICMP ECHO". Mark > Thanks, > Khoi > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org