From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 11:22:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CB5216A4B3 for ; Mon, 27 Oct 2003 11:22:39 -0800 (PST) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 70C7543F93 for ; Mon, 27 Oct 2003 11:22:36 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 24528 invoked by uid 1001); 27 Oct 2003 19:22:35 -0000 Date: Mon, 27 Oct 2003 14:22:35 -0500 From: "Peter C. Lai" To: Brett Glass Message-ID: <20031027192235.GG6460@cowbert.2y.net> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027110203.B96390@trillian.santala.org> <20031027093435.GA6111@rot13.obsecurity.org> <6.0.0.22.2.20031027061227.03a6be78@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20031027061227.03a6be78@localhost> User-Agent: Mutt/1.4i cc: security@freebsd.org cc: Kris Kennaway Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: peter.lai@uconn.edu List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 19:22:39 -0000 will the new IPFW2 build as a KLM which you could use with your old freebsd kernel? (/sbin/ipfw2 would have to be rebuilt also, but should be otherwise compatible). Similarly, is there a reason that you wouldn't be able to use the less robust ipfw2 on your release (since I assume you'd be using it purely for its iplen capabilities)? In any case, blocking ICMP etc. appears to be operationally the same as introducing unstable ipfw2 into a stable running kernel - they are at best, only temporary solutions. On Mon, Oct 27, 2003 at 06:17:26AM -0700, Brett Glass wrote: > At 02:34 AM 10/27/2003, Kris Kennaway wrote: > > >As it happens, ipfw[2] does this anyway. > > It does. But the router is a production machine and is > running an older release of FreeBSD that doesn't have > a solid IPFW2. (IPFW2 *just* hit full production quality > somewhere between 4.8-RELEASE and now, I must wait until > 4.9-RELEASE is out, and proves stable, before I can start > using IPFW2. This, as you know, may take awhile.) > > --Brett > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/