Date: Thu, 1 Dec 2011 18:50:26 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: ipfw And ping Message-ID: <CAHu1Y70aRWv%2BwJcwHhj3Ynyarksk110E2BCHNkcusJRFBOLHbg@mail.gmail.com> In-Reply-To: <4ED80CD0.8070709@tundraware.com> References: <4ED80CD0.8070709@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You can rate-limit pings and other icmp with sysctl nodes (sysctl
net.inet.icmp )
You can make the rule a little more restrictive:
add allow icmp from any to any icmptypes 0,3,8,11
if you want to disallow echo requests, omit 8 - the others are
essential for most things to work properly or to diagnose problems.
On Thu, Dec 1, 2011 at 3:25 PM, Tim Daneliuk <tundra@tundraware.com> wrote:
> I have a fairly restrictive ipfw setup on =A0a FBSD 8.2-STABLE machine.
> Pings were not getting through so I added this near the top
> of the rule set:
>
> =A0#####
> =A0# Allow icmp
> =A0#####
>
> =A0${FWCMD} add allow icmp from any to any
>
>
> It does work but, two questions:
>
> 1) Is there a better way?
> 2) Will this cause harm or otherwise expose the server to some
> vulnerability?
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y70aRWv%2BwJcwHhj3Ynyarksk110E2BCHNkcusJRFBOLHbg>