From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 25 20:17:18 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9540316A4BF
	for <questions@freebsd.org>; Mon, 25 Aug 2003 20:17:18 -0700 (PDT)
Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 11A3143FBF
	for <questions@freebsd.org>; Mon, 25 Aug 2003 20:17:18 -0700 (PDT)
	(envelope-from freebsduser@comcast.net)
Received: from comcast.net
	(12-225-141-88.client.attbi.com[12.225.141.88](untrusted sender))
	by comcast.net (rwcrmhc11) with SMTP
	id <20030826031707013006oe01e>          (Authid: animotions);
	Tue, 26 Aug 2003 03:17:16 +0000
Message-ID: <3F4AD0BA.7050201@comcast.net>
Date: Mon, 25 Aug 2003 20:15:06 -0700
From: K Anderson <freebsduser@comcast.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US;
	rv:1.4) Gecko/20030624 Netscape/7.1
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Technical Director <trodat@ultratrends.com>
References: <Pine.BSF.4.21.0308251956020.37550-100000@server1.ultratrends.com>
In-Reply-To: <Pine.BSF.4.21.0308251956020.37550-100000@server1.ultratrends.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: FreeBSD Questions <questions@freebsd.org>
Subject: Re: IPFW & ICMP
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2003 03:17:18 -0000



Technical Director wrote:
> 
> On Mon, 25 Aug 2003, Technical Director wrote:
> 
> 
>>Hello,
> 
> 
>>ipfw -a l [INSERT_YOUR_FW_RULE_FOR_ICMP_BLOCKING]
> 
> 
> INSERT_YOUR_FW_RULE_FOR_ICMP_BLOCK is the rule ID Number. #### below is it
> as well... :)
> 
> 
>>##### 0 2300 deny icmp from any to me via ed0
> 
> 
> Just to clarify.
> 
> R.
> 
> 

Thanks for the response.

Yep, that's the rule and it does have counters.

In your previous e-mail you were asking about the order of packet 
processing and that's what I'm trying to figure out as well. I figure 
that the firewall should block the traffic first so as to prevent ruled 
traffic from coming in and then, in my thinking, snort shouldn't see it.

Hopefully somebody might have an explanation with the why's and how 
comes one way or the other.