Date: Sat, 29 Sep 2001 01:31:48 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: gkshenaut@ucdavis.edu Cc: security@FreeBSD.ORG Subject: Re: How to config IPFW for enable ping and traceroute Message-ID: <20010929013148.B37579@mail.webmonster.de> In-Reply-To: <200109271736.f8RHZrA20332@thistle.bogs.org>; from greg@bogslab.ucdavis.edu on Thu, Sep 27, 2001 at 10:35:53AM -0700 References: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com> <200109271736.f8RHZrA20332@thistle.bogs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--4SFOXa2GPu3tIq4H
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
stateful rules woud be better, i don't know if this can be done with
ipfw (but i guess it should work somehow).
that's the ipfilter config for getting traceroute to work, for those who
are interested...
---excerpt from /etc/ipfilter.rules:
# traceroute udp outgoing
pass out proto udp from 0.0.0.0/32 to any port 33433 >< 33499
keep state
# icmp handling
# echo=3D8
pass in quick proto icmp from any to 0.0.0.0/32 icmp-type 8 keep state
pass out quick proto icmp from 0.0.0.0/32 to any icmp-type 8 keep state
# traceroute=3D30
pass in quick proto icmp from any to 0.0.0.0/32 icmp-type 30 keep state
pass out quick proto icmp from 0.0.0.0/32 to any icmp-type 30 keep state
block in log quick proto icmp from any to any
---
/k
Greg Shenaut(greg@bogslab.ucdavis.edu)@2001.09.27 10:35:53 +0000:
> In message <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>, "Chuti=
ma S." cleopede:
> >Hi
> >
> >I read from Firewall handbook as below:
> >icmptypes types=20
> >Matches if the ICMP type is present in the list types. The list may be
> >specified as any combination of ranges and/or individual types separated
> >by commas. Commonly used ICMP types are: 0 echo reply (ping reply), 3
> >destination unreachable, 5 redirect, 8 echo request (ping request), and
> >11 time exceeded (used to indicate TTL expiration as with traceroute(8)).
> >
> >So I config ipfw for icmp as following:
> >
> >ipfw add pass icmp from <internal> to any icmptypes 8
> >ipfw add pass icmp from any to <internal> icmptypes 0
> >ipfw add pass icmp from any to <internal> icmptypes 11
> >
> >I can ping but I can not traceroute. Anything wrong with my config?
>=20
> Here is a scrap from the ksh script I use to generate my ipfw rules.
> It lets me ping and traceroute out, but accepts them only to my
> gateway box. Note that it accepts any udp to a gateway interface
> in the standard range of traceroute ports (use of other ports will
> cause traceroute to fail).
>=20
> "add" adds the rule, "alias" adds the rule for each alias of my
> external interface (using "printf", hence the "%s"). Variables
> {if,ip,mask,net}0 correspond to my external link; "{if,ip,net,mask}X"
> where X is 1-9 correspond to one of my internal subnets.
>=20
> --- begin ---
> # ICMP
> # allow all ping and traceroute replies plus source quench
> add pass icmp from any to any icmptypes 0,3,4,11,12
>=20
> # Allow ping of firewall machine but not beyond
> alias pass icmp from any to %s icmptypes 8
> alias pass icmp from %s to any icmptypes 8
> # NOTE: the next rule is a limited insecurity
> alias pass udp from any to %s 33434-33523
> alias pass udp from %s to any 33434-33523
>=20
> # allow ping from any internal subnet
> for x in 1 2 3 4 5 6 7 8 9 ; do
> eval "iif=3D\$if$x"
> if [[ "$iif" =3D "" ]] ; then
> continue
> fi
> eval "inet=3D\$net$x"
> eval "imask=3D\$mask$x"
> eval "iip=3D\$ip$x"
> add pass icmp from ${inet}:${imask} to any icmptypes 8
> add pass udp from ${inet}:${imask} to any 33434-33523
> done
>=20
> # explicitly deny other icmp packets across firewall
> add deny icmp from any to any via ${if0}
> ---end---
>=20
> I hope this is helpful.
>=20
> Greg Shenaut
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--=20
> Get the all-new Microsoft[tm] IIS (Internet Intrusion Server[tm])! Out no=
w!
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B=
F46
Please do not remove my address from To: and Cc: fields in mailing lists. 1=
0x
--4SFOXa2GPu3tIq4H
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD4DBQE7tQhkM0BPTilkv0YRAkD9AJID7/0iAK1Psjhc2pFaae32IT7sAJ9McaTu
0RJetss750DUIHZiMGWRDQ==
=B+FO
-----END PGP SIGNATURE-----
--4SFOXa2GPu3tIq4H--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010929013148.B37579>