Date: Thu, 27 Sep 2001 02:14:33 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: "Chutima S." <chutima@onebox.com> Cc: freebsd-security@FreeBSD.ORG, chutima@infoquest.co.th Subject: Re: How to config IPFW for enable ping and traceroute Message-ID: <20010927021433.E360@blossom.cjclark.org> In-Reply-To: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>; from chutima@onebox.com on Wed, Sep 26, 2001 at 11:19:35PM -0700 References: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 26, 2001 at 11:19:35PM -0700, Chutima S. wrote: > Hi > > I read from Firewall handbook as below: > icmptypes types > Matches if the ICMP type is present in the list types. The list may be > specified as any combination of ranges and/or individual types separated > by commas. Commonly used ICMP types are: 0 echo reply (ping reply), 3 > destination unreachable, 5 redirect, 8 echo request (ping request), and > 11 time exceeded (used to indicate TTL expiration as with traceroute(8)). > > So I config ipfw for icmp as following: > > ipfw add pass icmp from <internal> to any icmptypes 8 > ipfw add pass icmp from any to <internal> icmptypes 0 > ipfw add pass icmp from any to <internal> icmptypes 11 > > I can ping but I can not traceroute. Anything wrong with my config? UNIX-style traceroute(8) sends UDP packets by default. Also, when the packets actually hit the target, you'll get a port unreachable (type 3) coming back at you. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010927021433.E360>