From owner-freebsd-security Tue Aug 22 23:47:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 83B5437B43E for ; Tue, 22 Aug 2000 23:47:37 -0700 (PDT) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id AAA04684; Wed, 23 Aug 2000 00:43:35 -0600 (MDT) Message-Id: <200008230643.AAA04684@faith.cs.utah.edu> Subject: Re: icmptypes To: mike@argos.org (Mike Nowlin) Date: Wed, 23 Aug 2000 00:43:35 -0600 (MDT) Cc: imp@village.org (Warner Losh), willwong@anime.ca (William Wong), freebsd-security@FreeBSD.ORG In-Reply-To: from "Mike Nowlin" at Aug 23, 2000 02:35:02 AM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ugh. That's the job of the tool that sets up the firewall for the user, or the {book, manpage, etc} the user uses to learn how to set up their firewall. If you start trying to build policy into the firewall tools themselves, you'll just get a headache. ... of course, the FreeBSD firewall examples deny ICMP unconditionally. :) -Dave Lo and behold, Mike Nowlin once said: > > Actually, maybe a warning message (with a sysctl knob to turn it off) that > gets triggered when these packets are blocked by ipfw & friends might not > be a completely horrible idea. If people start seeing "this is > dumb" messages show up, they'll probably ask "Why?". > > Enlightenment for the masses. -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message