Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Aug 1999 00:16:07 -0600 (MDT)
From:      Nick Rogness <nick@rapidnet.com>
To:        Jason Schwab <jschwab@telebot.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: ipfw
Message-ID:  <Pine.BSF.4.05.9908112204040.48871-100000@rapidnet.com>
In-Reply-To: <37b234fe.c8.0@telebot.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 Aug 1999, Jason Schwab wrote:

> what rules should I add to my ipfw ruleset to block out icmp 
> floods and smurf attacts, etc thanks.

For smurf attacks, I've done it 2 different ways before, assuming
your local net is 192.168.0.0/24:

   # Permit traffic from local net 192.168.0.0/24 to broadcast addr.
   ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32
   # Deny log traffic from outside local net to local broadcast
   ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0

or:

# Deny log ICMP echo requests to broadcast from anywhere (1 line)
ipfw add 2000 deny log icmp from any to 192.168.0.255/32 in via de0 
icmptypes 8

Flood pinging is a bit more difficult.  You probably can use DUMMYNET for
this but I have never used it for that before, so I can't wave you in
one direction or the other from using it.  We block this garbage with 
our Cisco's so I'm not sure on it.  But look in LINT at 'options
ICMP_BANDLIM' or the sysctl switch.

*******************************************************************
Nick Rogness		     Shaw's Principle:
System Administrator	       Build a system that even a fool
RapidNet, INC   	       can use, and only a fool will
nick@rapidnet.com	       want to use it.
*******************************************************************






To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9908112204040.48871-100000>