Date: Mon, 5 Nov 2001 13:48:52 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Spades <spades@galaxynet.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IDS135/ICMP_ICMP-REDIRECT_HOST Message-ID: <200111052148.fA5Lmqb51361@apollo.backplane.com> References: <3.0.32.20011101103631.02115a1c@smtp.magix.com.sg>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:Just a quick question..
:
:By default of denying all incoming/outgoing ICMP via
:ipfw using: ipfw add 120 deny icmp from any to any
:
:Does it deny ICMP-REDIRECT packets?
:
:Bryan
Yes, but you don't want to block all ICMP packets or you will
break TCP connections through paths which have smaller MTUs,
because the TCP stack will never get code 3's.
I recommend the following. If you have a recent system also
see 'man firewall'.
add 120 allow icmp from any to any icmptypes 0,8,11,12,13,14
add 121 deny icmp from any to any
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111052148.fA5Lmqb51361>