From owner-freebsd-security@FreeBSD.ORG Fri Sep 3 13:15:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0569C16A4D4 for ; Fri, 3 Sep 2004 13:15:38 +0000 (GMT) Received: from mxsf12.cluster1.charter.net (mxsf12.cluster1.charter.net [209.225.28.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6E1E43D3F for ; Fri, 3 Sep 2004 13:15:37 +0000 (GMT) (envelope-from c0ldbyte@myrealbox.com) Received: from mxip10.cluster1.charter.net (mxip10a.cluster1.charter.net [209.225.28.140])i83DFZTD004103 for ; Fri, 3 Sep 2004 09:15:35 -0400 Received: from 24.247.14.41.gha.mi.chartermi.net (HELO eleanor.spectical.net) (24.247.14.41) by mxip10.cluster1.charter.net with ESMTP; 03 Sep 2004 09:15:36 -0400 X-Ironport-AV: i="3.84,128,1091419200"; d="scan'208"; a="245478629:sNHT27023658" Date: Fri, 3 Sep 2004 09:15:31 -0400 (EDT) From: c0ldbyte To: freebsd-security@freebsd.org In-Reply-To: <20040903120107.3D61A16A4E0@hub.freebsd.org> Message-ID: <20040903091313.B57210@eleanor.spectical.net> References: <20040903120107.3D61A16A4E0@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: freebsd-security Digest, Vol 75, Issue 2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 13:15:38 -0000 On Fri, 3 Sep 2004 freebsd-security-request@freebsd.org wrote: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. Re: IPFW and icmp (Kevin D. Kinsey, DaleCo, S.P.) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 02 Sep 2004 12:05:26 -0500 > From: "Kevin D. Kinsey, DaleCo, S.P." > Subject: Re: IPFW and icmp > To: Dave > Cc: freebsd-security@freebsd.org > Message-ID: <413752D6.4060100@daleco.biz> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Dave wrote: > >> I'm not a master of the internet RFCs, but I do believe icmp messages have >> different types. >> >> Now to enable traceroute for IPFW, I might put in a rule like this: >> >> ipfw add pass icmp from any to me >> >> However, how would I make a rule to limit icmp messages to just those used >> by traceroute? Can the messages be distinguished as such? >> >> >> > > I use, thus far, "allow icmp from any to any icmptypes 0,3,4,8,11". That > include 'echo request', of course. Someone else may have a better idea. > >> A dynamic rule that exists only for the duration of a traceroute execution >> would be even better. I take it 'setup' or 'check-state' would follow in >> that case? >> >> >> > Seems likely. *sigh* one more manpage to read.... ;-) > > Kevin Kinsey > > ------------------------------ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > End of freebsd-security Digest, Vol 75, Issue 2 > *********************************************** > > You guys should check out this link here for the ICMP types. http://www.iana.org/assignments/icmp-parameters might help you out a little. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.