From owner-freebsd-security Thu Sep 27 2:16:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from gull.mail.pas.earthlink.net (gull.mail.pas.earthlink.net [207.217.121.85]) by hub.freebsd.org (Postfix) with ESMTP id 9A8E237B410 for ; Thu, 27 Sep 2001 02:16:35 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.247.141.88.Dial1.SanJose1.Level3.net [209.247.141.88]) by gull.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id CAA05487; Thu, 27 Sep 2001 02:14:37 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f8R9EYs78196; Thu, 27 Sep 2001 02:14:34 -0700 (PDT) (envelope-from cjc) Date: Thu, 27 Sep 2001 02:14:33 -0700 From: "Crist J. Clark" To: "Chutima S." Cc: freebsd-security@FreeBSD.ORG, chutima@infoquest.co.th Subject: Re: How to config IPFW for enable ping and traceroute Message-ID: <20010927021433.E360@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>; from chutima@onebox.com on Wed, Sep 26, 2001 at 11:19:35PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Sep 26, 2001 at 11:19:35PM -0700, Chutima S. wrote: > Hi > > I read from Firewall handbook as below: > icmptypes types > Matches if the ICMP type is present in the list types. The list may be > specified as any combination of ranges and/or individual types separated > by commas. Commonly used ICMP types are: 0 echo reply (ping reply), 3 > destination unreachable, 5 redirect, 8 echo request (ping request), and > 11 time exceeded (used to indicate TTL expiration as with traceroute(8)). > > So I config ipfw for icmp as following: > > ipfw add pass icmp from to any icmptypes 8 > ipfw add pass icmp from any to icmptypes 0 > ipfw add pass icmp from any to icmptypes 11 > > I can ping but I can not traceroute. Anything wrong with my config? UNIX-style traceroute(8) sends UDP packets by default. Also, when the packets actually hit the target, you'll get a port unreachable (type 3) coming back at you. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message