Date: Thu, 27 Sep 2001 10:35:53 -0700 From: Greg Shenaut <greg@bogslab.ucdavis.edu> To: security@FreeBSD.ORG Subject: Re: How to config IPFW for enable ping and traceroute Message-ID: <200109271736.f8RHZrA20332@thistle.bogs.org> In-Reply-To: Your message of "Wed, 26 Sep 2001 23:19:35 PDT." <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>, "Chutima S." cleopede: >Hi > >I read from Firewall handbook as below: >icmptypes types >Matches if the ICMP type is present in the list types. The list may be >specified as any combination of ranges and/or individual types separated >by commas. Commonly used ICMP types are: 0 echo reply (ping reply), 3 >destination unreachable, 5 redirect, 8 echo request (ping request), and >11 time exceeded (used to indicate TTL expiration as with traceroute(8)). > >So I config ipfw for icmp as following: > >ipfw add pass icmp from <internal> to any icmptypes 8 >ipfw add pass icmp from any to <internal> icmptypes 0 >ipfw add pass icmp from any to <internal> icmptypes 11 > >I can ping but I can not traceroute. Anything wrong with my config? Here is a scrap from the ksh script I use to generate my ipfw rules. It lets me ping and traceroute out, but accepts them only to my gateway box. Note that it accepts any udp to a gateway interface in the standard range of traceroute ports (use of other ports will cause traceroute to fail). "add" adds the rule, "alias" adds the rule for each alias of my external interface (using "printf", hence the "%s"). Variables {if,ip,mask,net}0 correspond to my external link; "{if,ip,net,mask}X" where X is 1-9 correspond to one of my internal subnets. --- begin --- # ICMP # allow all ping and traceroute replies plus source quench add pass icmp from any to any icmptypes 0,3,4,11,12 # Allow ping of firewall machine but not beyond alias pass icmp from any to %s icmptypes 8 alias pass icmp from %s to any icmptypes 8 # NOTE: the next rule is a limited insecurity alias pass udp from any to %s 33434-33523 alias pass udp from %s to any 33434-33523 # allow ping from any internal subnet for x in 1 2 3 4 5 6 7 8 9 ; do eval "iif=\$if$x" if [[ "$iif" = "" ]] ; then continue fi eval "inet=\$net$x" eval "imask=\$mask$x" eval "iip=\$ip$x" add pass icmp from ${inet}:${imask} to any icmptypes 8 add pass udp from ${inet}:${imask} to any 33434-33523 done # explicitly deny other icmp packets across firewall add deny icmp from any to any via ${if0} ---end--- I hope this is helpful. Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109271736.f8RHZrA20332>