From owner-freebsd-security  Thu Sep 27 11:29:59 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP id BA88A37B415
	for <freebsd-security@FreeBSD.ORG>; Thu, 27 Sep 2001 11:29:52 -0700 (PDT)
Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA10719;
	Thu, 27 Sep 2001 12:29:51 -0600 (MDT)
	(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
	by nomad.yogotech.com (8.8.8/8.8.8) id MAA14792;
	Thu, 27 Sep 2001 12:29:49 -0600 (MDT)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15283.28700.819462.391437@nomad.yogotech.com>
Date: Thu, 27 Sep 2001 12:29:48 -0600
To: "Chutima S." <chutima@onebox.com>
Cc: freebsd-security@FreeBSD.ORG, chutima@infoquest.co.th
Subject: Re: How to config IPFW for enable ping and traceroute
In-Reply-To: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>
References: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>
X-Mailer: VM 6.95 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> So I config ipfw for icmp as following:
> 
> ipfw add pass icmp from <internal> to any icmptypes 8
> ipfw add pass icmp from any to <internal> icmptypes 0
> ipfw add pass icmp from any to <internal> icmptypes 11

You'll also want a rule like this for PMTU and other important things to
work, which can simplify things.

############
# Let valid/necessary ICMP/traceroute packets through.
/sbin/ipfw add icmp from any to any icmptypes 0,3,11

# Allow outgoing pings and other such ICMP packet to work.
/sbin/ipfw add pass icmp from any to any out

# Outgoing traceroute udp packets are let out
/sbin/ipfw add pass udp from any to any 33434-34000 out

These three rules are all you should need on a FreeBSD box to secure the
box itself.

Others have followed up with fairly complicated rulesets, but by using
the 'in/out' keywords, you can more easily lock things down on a host
w/out going through gyrations on aliases and such.



Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message