From owner-freebsd-security  Mon Nov  5 13:48:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP id BB66B37B405
	for <freebsd-security@FreeBSD.ORG>; Mon,  5 Nov 2001 13:48:55 -0800 (PST)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.11.6/8.9.1) id fA5Lmqb51361;
	Mon, 5 Nov 2001 13:48:52 -0800 (PST)
	(envelope-from dillon)
Date: Mon, 5 Nov 2001 13:48:52 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200111052148.fA5Lmqb51361@apollo.backplane.com>
To: Spades <spades@galaxynet.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: IDS135/ICMP_ICMP-REDIRECT_HOST  
References:  <3.0.32.20011101103631.02115a1c@smtp.magix.com.sg>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

:
:Just a quick question..
:
:By default of denying all incoming/outgoing ICMP via
:ipfw using: ipfw add 120 deny icmp from any to any
:
:Does it deny ICMP-REDIRECT packets?
:
:Bryan

    Yes, but you don't want to block all ICMP packets or you will
    break TCP connections through paths which have smaller MTUs,
    because the TCP stack will never get code 3's.

    I recommend the following.  If you have a recent system also
    see 'man firewall'.

    add 120 allow icmp from any to any icmptypes 0,8,11,12,13,14
    add 121 deny icmp from any to any

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message