Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Aug 1999 09:38:39 -0700
From:      Tom Brown <tomb@securify.com>
To:        Nick Rogness <nick@rapidnet.com>, "'Paul Hart'" <hart@iserver.com>
Cc:        "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject:   RE: ipfw
Message-ID:  <01BEE4A6.75DBDD80@beetroot.securify.com>
next in thread | raw e-mail | index | archive | help 
You can add a rule to block incoming ICMP replies but it's kind of =
convenient to have ping.   I get fine results by using natd with the -d =
option that way you can still ping but incoming traffic is rejected =
unless it was initialized from within, though not much help if it is a =
"client" ipfw on a single box.

Tom
----------
From:  Paul Hart
Sent:  Thursday, August 12, 1999 2:40 AM
To:  Nick Rogness
Cc:  freebsd-security@FreeBSD.ORG
Subject:  Re: ipfw

On Thu, 12 Aug 1999, Nick Rogness wrote:

> > what rules should I add to my ipfw ruleset to block out icmp=20
> > floods and smurf attacts, etc thanks.
>=20
> For smurf attacks, I've done it 2 different ways before, assuming
> your local net is 192.168.0.0/24:
>=20
>    # Permit traffic from local net 192.168.0.0/24 to broadcast addr.
>    ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32
>    # Deny log traffic from outside local net to local broadcast
>    ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0

Doesn't that just stop you from being used as a smurf amplifier?  I =
think
the original poster wanted to know how to defend against being a smurf
victim, which is much more difficult.  The best resources I've seen for
understanding smurf attacks are:

    http://users.quadrunner.com/chuegen/smurf.cgi
    http://www.netscan.org/
    http://www.powertech.no/smurf/

Defending against smurf attacks is hard because by the time you receive
the smurf traffic on your network, much of the damage has already been
done.  And believe me, you WILL notice that something is happening when
you're feeling the brunt of a 60 Mb/s sustained smurf attack.  :-)=20

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01BEE4A6.75DBDD80>