From owner-freebsd-questions@FreeBSD.ORG Mon Aug 25 18:49:58 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFBD016A4C1 for ; Mon, 25 Aug 2003 18:49:58 -0700 (PDT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BDFF43FF5 for ; Mon, 25 Aug 2003 18:49:58 -0700 (PDT) (envelope-from freebsduser@comcast.net) Received: from comcast.net (12-225-141-88.client.attbi.com[12.225.141.88](untrusted sender)) by comcast.net (rwcrmhc11) with SMTP id <20030826014952013001d2vse> (Authid: animotions); Tue, 26 Aug 2003 01:49:52 +0000 Message-ID: <3F4ABCBD.6030600@comcast.net> Date: Mon, 25 Aug 2003 18:49:49 -0700 From: K Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD Questions Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW & ICMP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Aug 2003 01:49:58 -0000 Howdy folks, I've been getting bombarded with ICMP (Cyberkit 2.2 attack) stuff and created a rule in ipfw to firewall it. The rule is working, I am getting measured stats but the problem is snort is seeing them and reporting them. I thought that by firewalling ICMP snort would stop noticing them. If I'm wrong in my asumption I would certainly like to hear it. Here is the fierwall rule I applied. deny log icmp from any to me via ed0 There are some TCP and IP rules above that but I don't see that causing anything to skip over the ICMP rule. And snort is seeing them as I did a quick search through ACID. Thanks in advance.