From owner-freebsd-security Mon Aug 21 14:34:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from maildrop.velocet.net (maildrop.velocet.net [216.126.74.5]) by hub.freebsd.org (Postfix) with ESMTP id 2F62637B443 for ; Mon, 21 Aug 2000 14:34:27 -0700 (PDT) Received: from magus (anime.ca [204.138.55.45]) by maildrop.velocet.net (Postfix) with SMTP id D7BB578205 for ; Mon, 21 Aug 2000 17:34:25 -0400 (EDT) Message-ID: <003c01c00bb7$94783340$0300a8c0@anime.ca> From: "William Wong" To: References: <007701c00b4f$9c905340$4c9409cb@labyrinth.net.au> Subject: Re: icmptypes Date: Mon, 21 Aug 2000 17:34:25 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, Thanks for the responses. I've got a somewhat follow up question. Instead of just dropping an icmp packet with say ipfw's deny rule, is there a "polite" way to deny the packet. To clarify, I want to send an equivalent of a "tcp reset" back, to let them know it's closed. Or is there no such thing as this for the icmp protocol? I'm not that familiar with this protocol as you can see. - Will ----- Original Message ----- From: "Sean Winn" To: "William Wong" Sent: Monday, August 21, 2000 5:10 AM Subject: Re: icmptypes > So far I've found no major need to drop ICMP except for redirect. > From: "Mipam" > > Sure sure.... > > > > Basically, you just wish to allow icmp requests and icmp reply's (type 8 > > and 0). > > Deny the rest. Also make sure to deny any icmp fragmented packets. > > For the rest what you wish to deny or allow is up to you :) > > Bye, > > > > Mipam. > > > And if there is, which icmptypes should be allowed in at the minimum? > > > > > > - Will To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message