From owner-freebsd-security Tue Jun 27 8:22:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id 4454B37C044 for ; Tue, 27 Jun 2000 08:22:06 -0700 (PDT) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id KAA32511; Tue, 27 Jun 2000 10:21:58 -0500 (CDT) (envelope-from dmartin@origen.com) Message-ID: <3958E1C5.18593553@origen.com> Date: Tue, 27 Jun 2000 10:17:57 -0700 From: Richard Martin X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Salvo Bartolotta Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions References: <20000627.14530500@bartequi.ottodomain.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Add: /sbin/ipfw add pass icmp from ${oip} to any icmptypes ${icmpallow} /sbin/ipfw add pass icmp from any to ${oip} icmptypes ${icmpallow} /sbin/ipfw add deny log icmp from any to any this lets the firewall machine ping in and out (used by Big Brother), but stops those not very useful, and blocks all ICMP to other machines past the firewall Substitute in the ICMP types you want to allow each way, you can specify different ones both in and out. We use icmpallow="0,3,4,5,8,11,12,14,16,18" I wonder if anyone has any comments on the appropriateness of these -- Richard Martin dmartin@origenbio.com Salvo Bartolotta wrote: > Dear FreeBSD'ers, > > I am running a paranoidly closed firewall (homebox). > > Just out of curiosity, is there an *ipfw* way to allow ONLY icmp type > 3 code 4 packets (DF), dropping all other icmp packets onto the floor > ? > > The question may be academic, though; I seem to understand that > letting icmptypes 3 in (while letting NO icmp packets out) should > achieve the same (paranoid) goal. Am I missing anything ? > > Thanks in advance, > Salvo > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message