Date: Tue, 27 Jun 2000 11:07:00 -0600 (MDT) From: Paul Hart <hart@iserver.com> To: Salvo Bartolotta <bartequi@inwind.it> Cc: freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <Pine.BSF.4.21.0006271057330.29364-100000@anchovy.orem.iserver.com> In-Reply-To: <20000627.17395900@bartequi.ottodomain.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 Jun 2000, Salvo Bartolotta wrote: > Well, actually, my homebox will behave, as it were, like a Klingon > spaceship: for example, it will normally deny **all** icmptypes except > type 3 code 4 (DF). When I need to ping, traceroute, etc., I will > *temporarily* remove some restrictions. If you are using IP Filter, why not let it do the work for you? It is very easy to set up a "cloaked" firewall machine like you describe with IP Filter. In this situation, you can easily block all incoming ICMP/UDP/TCP packets as a general rule and rely entirely on IP Filter setting state rules for connections, traceroutes, or pings that were initiated from behind the firewall. That will let traceroute and ping automatically work from behind the firewall out to hosts outside the firewall, but you are otherwise 100% invisible to any other host on the Internet. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0006271057330.29364-100000>