From owner-freebsd-security Fri Sep 28 16:31:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id C7A0837B40E for ; Fri, 28 Sep 2001 16:31:27 -0700 (PDT) Received: (qmail 37818 invoked by uid 1000); 28 Sep 2001 23:31:48 -0000 Date: Sat, 29 Sep 2001 01:31:48 +0200 From: "Karsten W. Rohrbach" To: gkshenaut@ucdavis.edu Cc: security@FreeBSD.ORG Subject: Re: How to config IPFW for enable ping and traceroute Message-ID: <20010929013148.B37579@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , gkshenaut@ucdavis.edu, security@FreeBSD.ORG References: <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com> <200109271736.f8RHZrA20332@thistle.bogs.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="4SFOXa2GPu3tIq4H" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109271736.f8RHZrA20332@thistle.bogs.org>; from greg@bogslab.ucdavis.edu on Thu, Sep 27, 2001 at 10:35:53AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --4SFOXa2GPu3tIq4H Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable stateful rules woud be better, i don't know if this can be done with ipfw (but i guess it should work somehow). that's the ipfilter config for getting traceroute to work, for those who are interested... ---excerpt from /etc/ipfilter.rules: # traceroute udp outgoing pass out proto udp from 0.0.0.0/32 to any port 33433 >< 33499 keep state # icmp handling # echo=3D8 pass in quick proto icmp from any to 0.0.0.0/32 icmp-type 8 keep state pass out quick proto icmp from 0.0.0.0/32 to any icmp-type 8 keep state # traceroute=3D30 pass in quick proto icmp from any to 0.0.0.0/32 icmp-type 30 keep state pass out quick proto icmp from 0.0.0.0/32 to any icmp-type 30 keep state block in log quick proto icmp from any to any --- /k Greg Shenaut(greg@bogslab.ucdavis.edu)@2001.09.27 10:35:53 +0000: > In message <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>, "Chuti= ma S." cleopede: > >Hi > > > >I read from Firewall handbook as below: > >icmptypes types=20 > >Matches if the ICMP type is present in the list types. The list may be > >specified as any combination of ranges and/or individual types separated > >by commas. Commonly used ICMP types are: 0 echo reply (ping reply), 3 > >destination unreachable, 5 redirect, 8 echo request (ping request), and > >11 time exceeded (used to indicate TTL expiration as with traceroute(8)). > > > >So I config ipfw for icmp as following: > > > >ipfw add pass icmp from to any icmptypes 8 > >ipfw add pass icmp from any to icmptypes 0 > >ipfw add pass icmp from any to icmptypes 11 > > > >I can ping but I can not traceroute. Anything wrong with my config? >=20 > Here is a scrap from the ksh script I use to generate my ipfw rules. > It lets me ping and traceroute out, but accepts them only to my > gateway box. Note that it accepts any udp to a gateway interface > in the standard range of traceroute ports (use of other ports will > cause traceroute to fail). >=20 > "add" adds the rule, "alias" adds the rule for each alias of my > external interface (using "printf", hence the "%s"). Variables > {if,ip,mask,net}0 correspond to my external link; "{if,ip,net,mask}X" > where X is 1-9 correspond to one of my internal subnets. >=20 > --- begin --- > # ICMP > # allow all ping and traceroute replies plus source quench > add pass icmp from any to any icmptypes 0,3,4,11,12 >=20 > # Allow ping of firewall machine but not beyond > alias pass icmp from any to %s icmptypes 8 > alias pass icmp from %s to any icmptypes 8 > # NOTE: the next rule is a limited insecurity > alias pass udp from any to %s 33434-33523 > alias pass udp from %s to any 33434-33523 >=20 > # allow ping from any internal subnet > for x in 1 2 3 4 5 6 7 8 9 ; do > eval "iif=3D\$if$x" > if [[ "$iif" =3D "" ]] ; then > continue > fi > eval "inet=3D\$net$x" > eval "imask=3D\$mask$x" > eval "iip=3D\$ip$x" > add pass icmp from ${inet}:${imask} to any icmptypes 8 > add pass udp from ${inet}:${imask} to any 33434-33523 > done >=20 > # explicitly deny other icmp packets across firewall > add deny icmp from any to any via ${if0} > ---end--- >=20 > I hope this is helpful. >=20 > Greg Shenaut >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > Get the all-new Microsoft[tm] IIS (Internet Intrusion Server[tm])! Out no= w! KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --4SFOXa2GPu3tIq4H Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD4DBQE7tQhkM0BPTilkv0YRAkD9AJID7/0iAK1Psjhc2pFaae32IT7sAJ9McaTu 0RJetss750DUIHZiMGWRDQ== =B+FO -----END PGP SIGNATURE----- --4SFOXa2GPu3tIq4H-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message