From owner-freebsd-questions@FreeBSD.ORG Mon Aug 25 18:56:40 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4C6D16A4BF for ; Mon, 25 Aug 2003 18:56:40 -0700 (PDT) Received: from server1.ultratrends.com (server1.ultratrends.com [205.206.59.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4FCB43FE3 for ; Mon, 25 Aug 2003 18:56:39 -0700 (PDT) (envelope-from trodat@ultratrends.com) Received: from server1.ultratrends.com (localhost [127.0.0.1]) h7Q2ru5c037583; Mon, 25 Aug 2003 19:53:56 -0700 (MST) Received: from localhost (trodat@localhost)h7Q2ruft037580; Mon, 25 Aug 2003 19:53:56 -0700 (MST) X-Authentication-Warning: server1.ultratrends.com: trodat owned process doing -bs Date: Mon, 25 Aug 2003 19:53:56 -0700 (MST) From: Technical Director To: K Anderson In-Reply-To: <3F4ABCBD.6030600@comcast.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: FreeBSD Questions Subject: Re: IPFW & ICMP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Aug 2003 01:56:40 -0000 Hello, Someone correct me if I am wrong, but, snort as with other traffic shapers and dumpers take actual traffic from the network card prior to the firewall/kernel getting it. The rule is in place and as long as you see numbers in the first two columns in the following command: ipfw -a l [INSERT_YOUR_FW_RULE_FOR_ICMP_BLOCKING] ##### 0 2300 deny icmp from any to me via ed0 then your rule should be fine. If it's zero then the rules above it are stopping any activity that this rule might have on incoming packets. R. On Mon, 25 Aug 2003, K Anderson wrote: > Howdy folks, > > I've been getting bombarded with ICMP (Cyberkit 2.2 attack) stuff and > created a rule in ipfw to firewall it. The rule is working, I am getting > measured stats but the problem is snort is seeing them and reporting > them. I thought that by firewalling ICMP snort would stop noticing them. > If I'm wrong in my asumption I would certainly like to hear it. > > Here is the fierwall rule I applied. > > deny log icmp from any to me via ed0 > > There are some TCP and IP rules above that but I don't see that causing > anything to skip over the ICMP rule. And snort is seeing them as I did > a quick search through ACID. > > Thanks in advance. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >