Date: Thu, 27 Sep 2001 12:29:48 -0600 From: Nate Williams <nate@yogotech.com> To: "Chutima S." <chutima@onebox.com> Cc: freebsd-security@FreeBSD.ORG, chutima@infoquest.co.th Subject: Re: How to config IPFW for enable ping and traceroute Message-ID: <15283.28700.819462.391437@nomad.yogotech.com> In-Reply-To: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com> References: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> So I config ipfw for icmp as following: > > ipfw add pass icmp from <internal> to any icmptypes 8 > ipfw add pass icmp from any to <internal> icmptypes 0 > ipfw add pass icmp from any to <internal> icmptypes 11 You'll also want a rule like this for PMTU and other important things to work, which can simplify things. ############ # Let valid/necessary ICMP/traceroute packets through. /sbin/ipfw add icmp from any to any icmptypes 0,3,11 # Allow outgoing pings and other such ICMP packet to work. /sbin/ipfw add pass icmp from any to any out # Outgoing traceroute udp packets are let out /sbin/ipfw add pass udp from any to any 33434-34000 out These three rules are all you should need on a FreeBSD box to secure the box itself. Others have followed up with fairly complicated rulesets, but by using the 'in/out' keywords, you can more easily lock things down on a host w/out going through gyrations on aliases and such. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15283.28700.819462.391437>