Date: Tue, 06 Feb 2001 20:08:16 +0100 From: mouss <usebsd@free.fr> To: milunovic <milunovic@sendmail.ru>, freebsd-hackers@freebsd.org Subject: Re: echo request deny Message-ID: <4.3.0.20010206195541.06311720@pop.free.fr> In-Reply-To: <Pine.BSF.4.21.0102061203230.643-100000@scorpion.cosmos.all .net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:05 06/02/01 +0000, milunovic wrote: >Is there anyway to deny echo request on FreeBSD (except ipfw add deny >icmp from any to any) ? >On Linux It was simple,just echo 1>/proc/.../icmp_echo_request 'ifconfig ifacename down' does the same, and even more. just kidding:) I don't see a valid reason to block echo req in an absolute manner. Doing it on a per-rule basis (such as for some source hosts) seems to me to be the right way. and this is currently only handled by IP filtering engines, which again seems to be the right way. Or may be do you have a motivation that I missed? If you're having script kiddies trying to ping hosts in order to attack'em, you'll certainly want to block more than just echo requests, so ipfw or ipf are worth the pain. Otherwise, they can replace ping with traceroute, telnet, netcat, .... or do you mean you want to prohibit using ping on the host itself so that your users do not ping other hosts? then change the permissions of /sbin/ping (and any other equivalent prog. it must be setuid to use raw sockets, so they can't just compile one and use it). regards, mouss To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.0.20010206195541.06311720>