Date: Sun, 24 Feb 2002 10:43:34 -0500 (EST) From: Ralph Huntington <rjh@mohawk.net> To: Jeff Palmer <scorpio@drkshdw.org> Cc: Dag-Erling Smorgrav <des@ofug.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: Couple of concerns with default rc.firewall Message-ID: <20020224104008.H14963-100000@mohegan.mohawk.net> In-Reply-To: <001101c1bd48$2df35020$0286a8c0@home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Maybe I'm missing the point, but doesn't "deny ip from any to any" (which is the last rule in a block-all-by-default firewall) doesn't that mean to block everything, meaning everything? Nothing would be allowed, not any icmp of any type or anything else. In order to allow anything in particular, that would have to be explicitly enabled in a prior (ipfw) rule, is that not correct? On Sun, 24 Feb 2002, Jeff Palmer wrote: > DES, > > Maybe you fail to see my point. I was wondering if there was a reason the > FreeBSD team has decided not to allow certain ICMP's by default. > I'm perfectly aware of how to change the rules to do what I want. I was > asking if there was a reason for this decision, or if it was an oversight. > > > ----- Original Message ----- > From: "Dag-Erling Smorgrav" <des@ofug.org> > To: "Jeff Palmer" <scorpio@drkshdw.org> > Cc: <freebsd-security@FreeBSD.ORG> > Sent: Sunday, February 24, 2002 7:16 AM > Subject: Re: Couple of concerns with default rc.firewall > > > > "Jeff Palmer" <scorpio@drkshdw.org> writes: > > > Is there any reason in particular, that ALL icmp traffic is denied > > > by default, except for using the 'open' ruleset? > > > > The default rule #65535 is "deny ip from any to any". Wouldn't you be > > surprised if this *didn't* block all ICMP packets? > > > > Just add the following early on in your firewall ruleset: > > > > allow icmp from any to any icmptype 0,3,8,11 > > > > preferably *after* any anti-spoofing rules. > > > > DES > > -- > > Dag-Erling Smorgrav - des@ofug.org > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020224104008.H14963-100000>