From owner-freebsd-security Tue Jan 19 06:01:40 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA11790 for freebsd-security-outgoing; Tue, 19 Jan 1999 06:01:40 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from monsoon.dial.pipex.net (monsoon.dial.pipex.net [158.43.128.69]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA11783 for ; Tue, 19 Jan 1999 06:01:38 -0800 (PST) (envelope-from r.yeardley@hunter13.com) Received: (qmail 7447 invoked from network); 19 Jan 1999 14:01:21 -0000 Received: from usern209.uk.uudial.com (HELO rich.hunter13.lan) (193.149.81.242) by smtp.dial.pipex.com with SMTP; 19 Jan 1999 14:01:21 -0000 From: r.yeardley@hunter13.com (Richard Yeardley) To: freebsd-security@FreeBSD.ORG Subject: Re: ipfw filters for icmp which don't break things - Was: Re: Small Servers - ICMP Redirect Date: Tue, 19 Jan 1999 14:04:07 GMT Organization: Hunter 13 Message-ID: <36a59038.350804179@smtp.dial.pipex.com> References: <19990117194706.H97318@oreo.adsu.bellsouth.com> <007701be4256$f01ff740$02c3fe90@cisco.com> <19990117185047.A97318@oreo.adsu.bellsouth.com> <199901180030.QAA54407@apollo.backplane.com> <19990117194706.H97318@oreo.adsu.bellsouth.com> <4.1.19990119010408.02c0d7d0@195.250.206.101> In-Reply-To: <4.1.19990119010408.02c0d7d0@195.250.206.101> X-Mailer: Forte Agent 1.5/32.451 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id GAA11785 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here's a snippet from my rc.firewall - it allows outgoing pings and traceroutes (and their appropriate return values) but doesn't allow anyone to ping my LAN from the internet. $iif is set to ed0 $oif is set to tun0 # Allow any ICMP packets to pass on inside i/f $fwcmd add pass icmp from any to any via ${iif} # Allow outbound pings $fwcmd add pass icmp from any to any in recv ${oif} icmptypes 0 $fwcmd add pass icmp from any to any out xmit ${oif} icmptypes 8 # Allow outbound traceroutes $fwcmd add pass icmp from any to any in recv ${oif} icmptypes 3 $fwcmd add pass icmp from any to any in recv ${oif} icmptypes 11 On Tue, 19 Jan 1999 01:06:32 +0100, it was written: > >Would some kind soul provide ipfw filters for icmp with some comments so >people can copy them and enable only what they think is useful/needed for >them? I'm sure something like this would be good - probably also good for >handbook. > >Tomaz >---- >Tomaz Borstnar >"Love is the answer to the final question you ask" - Unknown > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message