Date: Sat, 29 Sep 2001 01:31:48 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: gkshenaut@ucdavis.edu Cc: security@FreeBSD.ORG Subject: Re: How to config IPFW for enable ping and traceroute Message-ID: <20010929013148.B37579@mail.webmonster.de> In-Reply-To: <200109271736.f8RHZrA20332@thistle.bogs.org>; from greg@bogslab.ucdavis.edu on Thu, Sep 27, 2001 at 10:35:53AM -0700 References: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com> <200109271736.f8RHZrA20332@thistle.bogs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--4SFOXa2GPu3tIq4H Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable stateful rules woud be better, i don't know if this can be done with ipfw (but i guess it should work somehow). that's the ipfilter config for getting traceroute to work, for those who are interested... ---excerpt from /etc/ipfilter.rules: # traceroute udp outgoing pass out proto udp from 0.0.0.0/32 to any port 33433 >< 33499 keep state # icmp handling # echo=3D8 pass in quick proto icmp from any to 0.0.0.0/32 icmp-type 8 keep state pass out quick proto icmp from 0.0.0.0/32 to any icmp-type 8 keep state # traceroute=3D30 pass in quick proto icmp from any to 0.0.0.0/32 icmp-type 30 keep state pass out quick proto icmp from 0.0.0.0/32 to any icmp-type 30 keep state block in log quick proto icmp from any to any --- /k Greg Shenaut(greg@bogslab.ucdavis.edu)@2001.09.27 10:35:53 +0000: > In message <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>, "Chuti= ma S." cleopede: > >Hi > > > >I read from Firewall handbook as below: > >icmptypes types=20 > >Matches if the ICMP type is present in the list types. The list may be > >specified as any combination of ranges and/or individual types separated > >by commas. Commonly used ICMP types are: 0 echo reply (ping reply), 3 > >destination unreachable, 5 redirect, 8 echo request (ping request), and > >11 time exceeded (used to indicate TTL expiration as with traceroute(8)). > > > >So I config ipfw for icmp as following: > > > >ipfw add pass icmp from <internal> to any icmptypes 8 > >ipfw add pass icmp from any to <internal> icmptypes 0 > >ipfw add pass icmp from any to <internal> icmptypes 11 > > > >I can ping but I can not traceroute. Anything wrong with my config? >=20 > Here is a scrap from the ksh script I use to generate my ipfw rules. > It lets me ping and traceroute out, but accepts them only to my > gateway box. Note that it accepts any udp to a gateway interface > in the standard range of traceroute ports (use of other ports will > cause traceroute to fail). >=20 > "add" adds the rule, "alias" adds the rule for each alias of my > external interface (using "printf", hence the "%s"). Variables > {if,ip,mask,net}0 correspond to my external link; "{if,ip,net,mask}X" > where X is 1-9 correspond to one of my internal subnets. >=20 > --- begin --- > # ICMP > # allow all ping and traceroute replies plus source quench > add pass icmp from any to any icmptypes 0,3,4,11,12 >=20 > # Allow ping of firewall machine but not beyond > alias pass icmp from any to %s icmptypes 8 > alias pass icmp from %s to any icmptypes 8 > # NOTE: the next rule is a limited insecurity > alias pass udp from any to %s 33434-33523 > alias pass udp from %s to any 33434-33523 >=20 > # allow ping from any internal subnet > for x in 1 2 3 4 5 6 7 8 9 ; do > eval "iif=3D\$if$x" > if [[ "$iif" =3D "" ]] ; then > continue > fi > eval "inet=3D\$net$x" > eval "imask=3D\$mask$x" > eval "iip=3D\$ip$x" > add pass icmp from ${inet}:${imask} to any icmptypes 8 > add pass udp from ${inet}:${imask} to any 33434-33523 > done >=20 > # explicitly deny other icmp packets across firewall > add deny icmp from any to any via ${if0} > ---end--- >=20 > I hope this is helpful. >=20 > Greg Shenaut >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > Get the all-new Microsoft[tm] IIS (Internet Intrusion Server[tm])! Out no= w! KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --4SFOXa2GPu3tIq4H Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD4DBQE7tQhkM0BPTilkv0YRAkD9AJID7/0iAK1Psjhc2pFaae32IT7sAJ9McaTu 0RJetss750DUIHZiMGWRDQ== =B+FO -----END PGP SIGNATURE----- --4SFOXa2GPu3tIq4H-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010929013148.B37579>