Date: Fri, 24 Nov 2000 13:42:19 +0200 From: Nevermind <never@nevermind.kiev.ua> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Vlad <tmd@tmd.df.ru>, security@FreeBSD.ORG Subject: Re: ipf - icmp Message-ID: <20001124134218.A17181@nevermind.kiev.ua> In-Reply-To: <xzp66ldtz6k.fsf@flood.ping.uio.no>; from des@ofug.org on Fri, Nov 24, 2000 at 11:57:39AM %2B0100 References: <Pine.BSF.4.21.0011231431360.18361-100000@tmd.df.ru> <xzp66ldtz6k.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Dag-Erling Smorgrav! On Fri, Nov 24, 2000 at 11:57:39AM +0100, you wrote: > Vlad <tmd@tmd.df.ru> writes: > > pass in quick on sis0 proto icmp from any to any icmp-type 0 > > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 3 > > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 4 > > pass in quick on sis0 proto icmp from any to any icmp-type timex > > pass out quick on sis0 proto icmp from any to any > > > > these entries will allow you to ping/traceroute anyone, will prohibit > > anyone from pinging/tracerouting you. > No. There is no way to completely prevent someone from tracerouting > you. You can make it slightly harder by blocking incoming UDP (which > your ruleset does not), but that's about it. Why not to use ipfw? ipfw add deny icmp from any to any via sis0 -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001124134218.A17181>