Date: Mon, 7 Oct 2002 15:09:57 +0100 From: Ceri Davies <setantae@submonkey.net> To: freebsd-questions@FreeBSD.ORG Subject: Re: block icmp with ipfw Message-ID: <20021007140957.GA11694@submonkey.net> In-Reply-To: <200210071406.g97E6Nlc087362@lurza.secnetix.de> References: <20021007093549.GA7137@submonkey.net> <200210071406.g97E6Nlc087362@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 07, 2002 at 04:06:23PM +0200, Oliver Fromme wrote: > Ceri Davies <setantae@submonkey.net> wrote: > > add 00602 allow icmp from any to any icmptypes 8 out > > add 00603 allow icmp from any to any icmptypes 0 in > > ... > > default deny > > You should really do it the other way around: let all ICMP > types through, _except_ for those that you don't want (i.e. > ICMP ECHO). You will probably want several things to work > correctly which depend on ICMP, such as path MTU discovery > (RFC1191), detection of unreachable destinations or networks, > and similar things. ICMP means internet control message > protocol -- without it, several internet-related things just > don't work. Yes, I have separate rules for those. I should probably have stated this. > Personally, I wouldn't block ICMP at all, not even ICMP ECHO. > FreeBSD's ICMP bandwidth limit handles the usual situations > where you'd want to limit ICMP pretty well. I'd agree with this in most situations. The machine that those rules are from is unfortunately severly under-spec'd and overworked though, and I have found this makes a positive difference. Ceri -- you can't see when light's so strong you can't see when light is gone To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021007140957.GA11694>