Date: Sat, 21 Jul 2001 23:02:20 -0400 (EDT) From: Mark Livingstone <mlivingstone@ottawa.com> To: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: how could this PACKET get through?! Message-ID: <200107220302.XAA18060@mail.ottawa.com>
next in thread | raw e-mail | index | archive | help
Fernando, thanks for your help. I do have one question for you: i need to block all incoming icmp, however, allow outgoing icmp + traceroute. Which rules should i preserve and which should i remove? the setup that i have does exactly what i need.. but i bet there is a better way you know of. thanks On Jul 17, Fernando Gleiser <fgleiser@cactus.fi.uba.ar> wrote: > > > On Tue, 17 Jul 2001, Mark Livingstone wrote: > [snip] > > > > > pass in log quick on ed0 proto icmp from any to any icmp-type 0 > > pass in log quick on ed0 proto icmp from any to any icmp-type unreach code 3 > > pass in log quick on ed0 proto icmp from any to any icmp-type unreach code 4 > > pass in log quick on ed0 proto icmp from any to any icmp-type timex > ^^^^^^^^ > Here is: you allow incomming icmp time exeeded, and log it. The packet you > received was a time exeeded in transit (11/0). > > Those seem the rules to make traceroute work. If you keep state on > outgoing udp packets you won't need them, the state code can tell > icmp packets which are responses to outgoing packets from icmp packets > which aren't (because an icmp error has the first bytes of the packet which > caused it). > > > > Fer > > > Get your Free email at http://mail.ottawa.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107220302.XAA18060>