From owner-freebsd-security Tue Jun 22 5:16:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from fantasy.netreach.net (fantasy.netreach.net [205.197.101.219]) by hub.freebsd.org (Postfix) with ESMTP id 66EC714C85 for ; Tue, 22 Jun 1999 05:16:47 -0700 (PDT) (envelope-from petef@netreach.net) Received: from borneo (borneo.netreach.net [205.197.101.111]) by fantasy.netreach.net (8.9.3/8.9.0) with SMTP id IAA09628; Tue, 22 Jun 1999 08:17:48 -0400 (EDT) Date: Tue, 22 Jun 1999 08:19:31 -0400 (EDT) From: Pete Fritchman X-Sender: petef@borneo To: Brendan Conoboy Cc: freebsd-security@freebsd.org Subject: Re: ip firewall and icmp/dos. In-Reply-To: <199906220449.WAA07759@kitsune.swcp.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org and his message was in reference to the ip filter... --------------------------------------------- Pete Fritchman petef@netreach.net Netreach www.netreach.net System Administrator On Mon, 21 Jun 1999, Brendan Conoboy wrote: > > From: Pete Fritchman > > To: "Jason L. Schwab" > > Subject: Re: ip firewall and icmp/dos. > > > > man ipmon > > ipmon? Ipmon is the proggy that takes logs from IP filter, not ipfw. > > > On Mon, 21 Jun 1999, Jason L. Schwab wrote: > > > > > > Could someone please give me an example as to what lines I should add > > > to my ruleset > > > to keep from being Denial Of Service attacked and/or ICMP'd? Thanks. I > > > have IPFIREWALL and IPFIREWALL_VERBOSE as options in my kernel. and I > > > have the firewall_type set to "open" for > > > right now. > > > > > > Also, I know that the IPFIREWALL_VERBOSE turns on logging, how can I > > > see what it logs? > > Hi Jason. My first suggestion would be to use IPFILTER and IPFILTER_LOG > instead of IPFIREWALL and IPFIREWALL_VERBOSE, then you can use my handy > howto at http://www.swcp.com/~synk/ipf-howto.txt :-) Then you could > also use ipmon for logging, as was suggested. > > If you'd prefer sticking with IPFIREWALL (which uses the ipfw command), > I'd suggest taking a look at the ipfw(8) man page (type "man 8 ipfw"). > You should also take a look at /etc/rc.firewall. This is where the > "firewall_type" option is examined and rules are put into effect. You > can learn a bit from the examples in there. > > You can block and log all icmp traffic with: > > /sbin/ipfw add deny log icmp from any to YourIpAddress > > This will keep it from coming or going. If this is *really* what you > want to do (ping and traceroute will stop working), you'll need to > work that into rc.firewall. I'm not sure what Denial Of Service > attacks you're worried about so I don't know what's going to help you. > > Lastly, if you're really concerned about security of the system you're > working with, you might want somebody else to help you with the firewall. > The first attempts at them tend to be too loose or too tight, and > generally not what you're really going for. > > -Brendan (everybody who's locked themselves out with ipfw nod and smile:-) > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message