From owner-freebsd-security  Mon Aug 21 15:17:10 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP id BB74637B50B
	for <freebsd-security@FreeBSD.ORG>; Mon, 21 Aug 2000 15:17:04 -0700 (PDT)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id PAA31247;
	Mon, 21 Aug 2000 15:16:04 -0700 (PDT)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200008212216.PAA31247@gndrsh.dnsmgr.net>
Subject: Re: icmptypes
In-Reply-To: <20000821180351.H57333@jade.chc-chimes.com> from Bill Fumerola at "Aug 21, 2000 06:03:51 pm"
To: billf@chimesnet.com (Bill Fumerola)
Date: Mon, 21 Aug 2000 15:16:03 -0700 (PDT)
Cc: willwong@anime.ca (William Wong), freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> On Mon, Aug 21, 2000 at 05:59:26PM -0400, William Wong wrote:
> 
> > I tried to "reset icmp" and it said that reset it only valid for tcp
> > packets.  Would the polite way be to use some sort of "unreach" code?
> 
> That's what I get for not reading your entire message...
> 
> instead of deny use 'unreach ICMPCODE'
> 
> example from memory:
> # ipfw add unreach filter-prohib icmp from any to any icmptypes 0,8

The 8 case would be okay, but returning an icmp unreach for an icmp echo
reply would be a violation of the protocol spec.  I would recomend
against it.

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message