From owner-freebsd-security Thu Sep 27 10:38:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34]) by hub.freebsd.org (Postfix) with ESMTP id D571437B50F for ; Thu, 27 Sep 2001 10:38:23 -0700 (PDT) Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61]) by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id KAA47681 for ; Thu, 27 Sep 2001 10:37:58 -0700 (PDT) (envelope-from greg@bogslab.ucdavis.edu) Received: from thistle.bogs.org (localhost [127.0.0.1]) by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id f8RHZrA20332 for ; Thu, 27 Sep 2001 10:36:00 -0700 (PDT) (envelope-from greg@thistle.bogs.org) Message-Id: <200109271736.f8RHZrA20332@thistle.bogs.org> To: security@FreeBSD.ORG X-To: "Chutima S." X-Sender: owner-freebsd-security@FreeBSD.ORG Subject: Re: How to config IPFW for enable ping and traceroute In-reply-to: Your message of "Wed, 26 Sep 2001 23:19:35 PDT." <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com> Reply-To: gkshenaut@ucdavis.edu Date: Thu, 27 Sep 2001 10:35:53 -0700 From: Greg Shenaut Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>, "Chutima S." cleopede: >Hi > >I read from Firewall handbook as below: >icmptypes types >Matches if the ICMP type is present in the list types. The list may be >specified as any combination of ranges and/or individual types separated >by commas. Commonly used ICMP types are: 0 echo reply (ping reply), 3 >destination unreachable, 5 redirect, 8 echo request (ping request), and >11 time exceeded (used to indicate TTL expiration as with traceroute(8)). > >So I config ipfw for icmp as following: > >ipfw add pass icmp from to any icmptypes 8 >ipfw add pass icmp from any to icmptypes 0 >ipfw add pass icmp from any to icmptypes 11 > >I can ping but I can not traceroute. Anything wrong with my config? Here is a scrap from the ksh script I use to generate my ipfw rules. It lets me ping and traceroute out, but accepts them only to my gateway box. Note that it accepts any udp to a gateway interface in the standard range of traceroute ports (use of other ports will cause traceroute to fail). "add" adds the rule, "alias" adds the rule for each alias of my external interface (using "printf", hence the "%s"). Variables {if,ip,mask,net}0 correspond to my external link; "{if,ip,net,mask}X" where X is 1-9 correspond to one of my internal subnets. --- begin --- # ICMP # allow all ping and traceroute replies plus source quench add pass icmp from any to any icmptypes 0,3,4,11,12 # Allow ping of firewall machine but not beyond alias pass icmp from any to %s icmptypes 8 alias pass icmp from %s to any icmptypes 8 # NOTE: the next rule is a limited insecurity alias pass udp from any to %s 33434-33523 alias pass udp from %s to any 33434-33523 # allow ping from any internal subnet for x in 1 2 3 4 5 6 7 8 9 ; do eval "iif=\$if$x" if [[ "$iif" = "" ]] ; then continue fi eval "inet=\$net$x" eval "imask=\$mask$x" eval "iip=\$ip$x" add pass icmp from ${inet}:${imask} to any icmptypes 8 add pass udp from ${inet}:${imask} to any 33434-33523 done # explicitly deny other icmp packets across firewall add deny icmp from any to any via ${if0} ---end--- I hope this is helpful. Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message