Date: Sun, 6 Oct 2002 03:49:11 +0300 From: Giorgos Keramidas <keramida@freebsd.org> To: "Jack L. Stone" <jackstone@sage-one.net> Cc: "Patrick O'Reilly" <bsd@perimeter.co.za>, questions@freebsd.org, master <master@tyranz.com> Subject: Re: block icmp with ipfw Message-ID: <20021006004911.GB39351@hades.hell.gr> In-Reply-To: <3.0.5.32.20021005193900.01199da8@mail.sage-one.net> References: <3.0.5.32.20021005085103.011d62c0@mail.sage-one.net> <3.0.5.32.20021005193900.01199da8@mail.sage-one.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-10-05 19:39, "Jack L. Stone" <jackstone@sage-one.net> wrote: > At 09:41 PM 10.5.2002 +0300, Giorgos Keramidas wrote: > >On 2002-10-05 08:51, Jack L. Stone wrote: > >> At 03:41 PM 10.5.2002 +0200, Patrick O'Reilly wrote: > >> >From: "master" <master@tyranz.com> > >> > > hi all i would like to know the syntax of ipfw to block icmp ping? > >> > > (echo and reply) > >> > > >> > ipfw add 123 deny ip from any to any icmtypes 8 > >> > >> .... but if you still want to ping OUT.... > >> ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} > > > >That will negate the effect of any firewall rules that "block" icmp > >packets though, i.e. it's the opposite of what was asked :-) > > ....then answer the poster's question. I don't have the same other rule in > conflict.... Pardon me sounding a bit offensive, if I did. I meant that there is no good rule that allows outgoing pings but blocks incoming ones. You can probably use something that depends on ipfw states, but icmp is not really good at keeping states and dynamic rules will eat more resources than simply blocking all icmps. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021006004911.GB39351>