From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 03:43:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF20116A4B3 for ; Mon, 27 Oct 2003 03:43:14 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id D582443FBD for ; Mon, 27 Oct 2003 03:43:12 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 20376 invoked from network); 27 Oct 2003 11:42:23 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 27 Oct 2003 11:42:22 -0000 Received: (qmail 63059 invoked by uid 1000); 27 Oct 2003 11:43:10 -0000 Date: Mon, 27 Oct 2003 13:43:10 +0200 From: Peter Pentchev To: Jason Stone Message-ID: <20031027114310.GA430@straylight.oblivion.bg> Mail-Followup-To: Jason Stone , security@freebsd.org References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027120642.A96390@trillian.santala.org> <20031027030027.B8440@walter> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: <20031027030027.B8440@walter> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 11:43:15 -0000 --liOOAslEiF7prFVr Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 27, 2003 at 03:12:48AM -0800, Jason Stone wrote: [snip] > > > > Filtering packets by length on the other hand is a very nice feature > > > > to have. >=20 > > > As it happens, ipfw[2] does this anyway. >=20 > Yes, ipfw2 (ie, on fbsd-5 boxes) has an "iplen" option that you can put in > the body of your rule. From the manpage: >=20 > iplen len > Matches IP packets whose total length, including header and > data, is len bytes. >=20 > However, this isn't going to help most people with 4.x systems, so their > best option is probably still to block all pings. Actually, ipfw2 has been backported to -STABLE for quite a while, and the iplen keyword has been present in -STABLE's src/sbin/ipfw/ipfw2.c ever since ipfw2 was MFC'd (about July 2002). You may want to take a look at the ipfw(8) manual page, and specifically (as recommended at the top of the manpage) the 'USING IPFW2 IN FreeBSD-STABLE' section to see how you can actually use ipfw2 and 'iplen' in -STABLE :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If there were no counterfactuals, this sentence would not have been paradox= ical. --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/nQTO7Ri2jRYZRVMRAmwUAKCdn83cmD6seSmbETePbWDFjgGAGgCfb/Ad 88HyoIYXRIyHtc/CGpKg91Y= =3FJj -----END PGP SIGNATURE----- --liOOAslEiF7prFVr--