Date: Thu, 27 Sep 2001 10:35:53 -0700 From: Greg Shenaut <greg@bogslab.ucdavis.edu> To: security@FreeBSD.ORG Subject: Re: How to config IPFW for enable ping and traceroute Message-ID: <200109271736.f8RHZrA20332@thistle.bogs.org> In-Reply-To: Your message of "Wed, 26 Sep 2001 23:19:35 PDT." <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>, "Chutima S." cleopede:
>Hi
>
>I read from Firewall handbook as below:
>icmptypes types
>Matches if the ICMP type is present in the list types. The list may be
>specified as any combination of ranges and/or individual types separated
>by commas. Commonly used ICMP types are: 0 echo reply (ping reply), 3
>destination unreachable, 5 redirect, 8 echo request (ping request), and
>11 time exceeded (used to indicate TTL expiration as with traceroute(8)).
>
>So I config ipfw for icmp as following:
>
>ipfw add pass icmp from <internal> to any icmptypes 8
>ipfw add pass icmp from any to <internal> icmptypes 0
>ipfw add pass icmp from any to <internal> icmptypes 11
>
>I can ping but I can not traceroute. Anything wrong with my config?
Here is a scrap from the ksh script I use to generate my ipfw rules.
It lets me ping and traceroute out, but accepts them only to my
gateway box. Note that it accepts any udp to a gateway interface
in the standard range of traceroute ports (use of other ports will
cause traceroute to fail).
"add" adds the rule, "alias" adds the rule for each alias of my
external interface (using "printf", hence the "%s"). Variables
{if,ip,mask,net}0 correspond to my external link; "{if,ip,net,mask}X"
where X is 1-9 correspond to one of my internal subnets.
--- begin ---
# ICMP
# allow all ping and traceroute replies plus source quench
add pass icmp from any to any icmptypes 0,3,4,11,12
# Allow ping of firewall machine but not beyond
alias pass icmp from any to %s icmptypes 8
alias pass icmp from %s to any icmptypes 8
# NOTE: the next rule is a limited insecurity
alias pass udp from any to %s 33434-33523
alias pass udp from %s to any 33434-33523
# allow ping from any internal subnet
for x in 1 2 3 4 5 6 7 8 9 ; do
eval "iif=\$if$x"
if [[ "$iif" = "" ]] ; then
continue
fi
eval "inet=\$net$x"
eval "imask=\$mask$x"
eval "iip=\$ip$x"
add pass icmp from ${inet}:${imask} to any icmptypes 8
add pass udp from ${inet}:${imask} to any 33434-33523
done
# explicitly deny other icmp packets across firewall
add deny icmp from any to any via ${if0}
---end---
I hope this is helpful.
Greg Shenaut
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109271736.f8RHZrA20332>