From owner-freebsd-questions Sat Nov 21 11:07:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10812 for freebsd-questions-outgoing; Sat, 21 Nov 1998 11:07:59 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from java.dpcsys.com (java.dpcsys.com [206.16.184.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10798 for ; Sat, 21 Nov 1998 11:07:54 -0800 (PST) (envelope-from dan@dpcsys.com) Received: from localhost (dan@localhost) by java.dpcsys.com (8.9.1a/8.9.1) with SMTP id LAA04904; Sat, 21 Nov 1998 11:07:48 -0800 (PST) Date: Sat, 21 Nov 1998 11:07:48 -0800 (PST) From: Dan Busarow To: Brian Gallucci cc: freebsd-questions@FreeBSD.ORG Subject: Re: ICMP In-Reply-To: <000901be153b$273fd0e0$2900a8c0@desktop.briang.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 21 Nov 1998, Brian Gallucci wrote: > Which one of these would I use if I whanted to stop poeple from doing a port > scan on my boxes, > but at the same time not stopping me from be able to ping out.... > This is the rule I'm using " ipfw add 3400 deny log icmp from any to > 24.1.88.78 icmptype ? " Since ICMP doesn't use ports blocking it won't have much effect on port scanning. If you want to block access to all ports from the outside use $fwcmd add deny log tcp from any to any in via ${oif} setup along with $fwcmd add pass tcp from any to any established to let your users get outside. You can probably block all incoming UDP requests with the possible exception of DNS. The "simple" config in /etc/rc.firewall is a very good starting point for you. Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message