Date: Tue, 27 Jun 2000 10:17:57 -0700 From: Richard Martin <dmartin@origen.com> To: Salvo Bartolotta <bartequi@inwind.it> Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <3958E1C5.18593553@origen.com> References: <20000627.14530500@bartequi.ottodomain.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Add:
/sbin/ipfw add pass icmp from ${oip} to any icmptypes ${icmpallow}
/sbin/ipfw add pass icmp from any to ${oip} icmptypes ${icmpallow}
/sbin/ipfw add deny log icmp from any to any
this lets the firewall machine ping in and out (used by Big Brother), but
stops those not very useful, and blocks all ICMP to other machines past
the firewall
Substitute in the ICMP types you want to allow each way, you can specify
different ones both in and out.
We use
icmpallow="0,3,4,5,8,11,12,14,16,18"
I wonder if anyone has any comments on the appropriateness of these
--
Richard Martin dmartin@origenbio.com
Salvo Bartolotta wrote:
> Dear FreeBSD'ers,
>
> I am running a paranoidly closed firewall (homebox).
>
> Just out of curiosity, is there an *ipfw* way to allow ONLY icmp type
> 3 code 4 packets (DF), dropping all other icmp packets onto the floor
> ?
>
> The question may be academic, though; I seem to understand that
> letting icmptypes 3 in (while letting NO icmp packets out) should
> achieve the same (paranoid) goal. Am I missing anything ?
>
> Thanks in advance,
> Salvo
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3958E1C5.18593553>