From owner-freebsd-questions  Mon Oct  7  2:35:56 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 96E6F37B401; Mon,  7 Oct 2002 02:35:54 -0700 (PDT)
Received: from rhadamanth.submonkey.net (pc1-cdif2-4-cust210.cdf.cable.ntl.com [80.4.10.210])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 81F7E43E7B; Mon,  7 Oct 2002 02:35:53 -0700 (PDT)
	(envelope-from setantae@submonkey.net)
Received: from setantae by rhadamanth.submonkey.net with local (Exim 4.10)
	id 17yUIn-0001rO-00; Mon, 07 Oct 2002 10:35:49 +0100
Date: Mon, 7 Oct 2002 10:35:49 +0100
From: Ceri Davies <setantae@submonkey.net>
To: Giorgos Keramidas <keramida@freebsd.org>
Cc: "Jack L. Stone" <jackstone@sage-one.net>,
	Patrick O'Reilly <bsd@perimeter.co.za>, questions@freebsd.org,
	master <master@tyranz.com>
Subject: Re: block icmp with ipfw
Message-ID: <20021007093549.GA7137@submonkey.net>
Mail-Followup-To: Ceri Davies <setantae@submonkey.net>,
	Giorgos Keramidas <keramida@freebsd.org>,
	"Jack L. Stone" <jackstone@sage-one.net>,
	Patrick O'Reilly <bsd@perimeter.co.za>, questions@freebsd.org,
	master <master@tyranz.com>
References: <3.0.5.32.20021005085103.011d62c0@mail.sage-one.net> <3.0.5.32.20021005193900.01199da8@mail.sage-one.net> <20021006004911.GB39351@hades.hell.gr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20021006004911.GB39351@hades.hell.gr>
X-message-flag: All your linuxconf-configured redhat are belong to us.
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sun, Oct 06, 2002 at 03:49:11AM +0300, Giorgos Keramidas wrote:
> On 2002-10-05 19:39, "Jack L. Stone" <jackstone@sage-one.net> wrote:
> > At 09:41 PM 10.5.2002 +0300, Giorgos Keramidas wrote:
> > >On 2002-10-05 08:51, Jack L. Stone wrote:
> > >> At 03:41 PM 10.5.2002 +0200, Patrick O'Reilly wrote:
> > >> >From: "master" <master@tyranz.com>
> > >> > > hi all i would like to know the syntax of ipfw to block icmp ping?
> > >> > > (echo and reply)
> > >> >
> > >> > ipfw add 123 deny ip from any to any icmtypes 8
> > >>
> > >> .... but if you still want to ping OUT....
> > >> ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
> > >
> > >That will negate the effect of any firewall rules that "block" icmp
> > >packets though, i.e. it's the opposite of what was asked :-)
> >
> > ....then answer the poster's question. I don't have the same other rule in
> > conflict....
> 
> Pardon me sounding a bit offensive, if I did.  I meant that there is
> no good rule that allows outgoing pings but blocks incoming ones.

This seems to work for me:

add 00602 allow icmp from any to any icmptypes 8 out
add 00603 allow icmp from any to any icmptypes 0 in
...
default deny

Ceri
-- 
you can't see when light's so strong
you can't see when light is gone

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message