Date: Mon, 25 Aug 2003 19:53:56 -0700 (MST) From: Technical Director <trodat@ultratrends.com> To: K Anderson <freebsduser@comcast.net> Cc: FreeBSD Questions <questions@freebsd.org> Subject: Re: IPFW & ICMP Message-ID: <Pine.BSF.4.21.0308251950030.37550-100000@server1.ultratrends.com> In-Reply-To: <3F4ABCBD.6030600@comcast.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Someone correct me if I am wrong, but, snort as with other traffic shapers and dumpers take actual traffic from the network card prior to the firewall/kernel getting it. The rule is in place and as long as you see numbers in the first two columns in the following command: ipfw -a l [INSERT_YOUR_FW_RULE_FOR_ICMP_BLOCKING] ##### 0 2300 deny icmp from any to me via ed0 then your rule should be fine. If it's zero then the rules above it are stopping any activity that this rule might have on incoming packets. R. On Mon, 25 Aug 2003, K Anderson wrote: > Howdy folks, > > I've been getting bombarded with ICMP (Cyberkit 2.2 attack) stuff and > created a rule in ipfw to firewall it. The rule is working, I am getting > measured stats but the problem is snort is seeing them and reporting > them. I thought that by firewalling ICMP snort would stop noticing them. > If I'm wrong in my asumption I would certainly like to hear it. > > Here is the fierwall rule I applied. > > deny log icmp from any to me via ed0 > > There are some TCP and IP rules above that but I don't see that causing > anything to skip over the ICMP rule. And snort is seeing them as I did > a quick search through ACID. > > Thanks in advance. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0308251950030.37550-100000>