From owner-freebsd-security Sun Feb 24 8:13:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from scorpio.drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4]) by hub.freebsd.org (Postfix) with ESMTP id 781EE37B400 for ; Sun, 24 Feb 2002 08:13:48 -0800 (PST) Received: from scorpio (jeff.home.lan [192.168.134.2]) by scorpio.drkshdw.org (8.11.6/8.11.6) with SMTP id g1OGDgK69271; Sun, 24 Feb 2002 11:13:42 -0500 (EST) (envelope-from scorpio@drkshdw.org) Message-ID: <001901c1bd4e$3f03d8c0$0286a8c0@home.lan> From: "Jeff Palmer" To: "Ralph Huntington" Cc: "Dag-Erling Smorgrav" , References: <20020224104008.H14963-100000@mohegan.mohawk.net> Subject: Re: Couple of concerns with default rc.firewall Date: Sun, 24 Feb 2002 11:13:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not sure if you two are bored, or what the problem is. Let me re-iterate the last two lines of my original message. "Is there any reason in particular, that ALL icmp traffic is denied by default, except for using the 'open' ruleset? Or is this just a simple oversight, that needs to be examined?" I'm ASKING if it was an oversight that the DEFAULT policies (other than 'open') are denying ICMP. As it is typically agreed that some ICMP types are beneficial. I know damn well how a firewall works. I also know how to modify it for MY needs. (You might have noticed in my original post, that I said I use a modified simple ruleset, ICMP's is just one of the modifications..) I'm not asking why it blocks ICMP's due to a lack of knowledge about how packet filtering works. I'm asking why the default firewall blocks beneficial ICMP's due to the fact that some people hear "install a firewall, install a firewall" and don't know the first thing about it. Chances are high that they are using these default rules, which block ICMP's. I've monitored this list for quite some time. I'd rather this thread not be turned into the circus that you two seem to enjoy. It's a legit concern, and I'd rather it be addressed publicly. ----- Original Message ----- From: "Ralph Huntington" To: "Jeff Palmer" Cc: "Dag-Erling Smorgrav" ; Sent: Sunday, February 24, 2002 10:43 AM Subject: Re: Couple of concerns with default rc.firewall > Maybe I'm missing the point, but doesn't "deny ip from any to any" (which > is the last rule in a block-all-by-default firewall) doesn't that mean to > block everything, meaning everything? Nothing would be allowed, not any > icmp of any type or anything else. In order to allow anything in > particular, that would have to be explicitly enabled in a prior (ipfw) > rule, is that not correct? > > > On Sun, 24 Feb 2002, Jeff Palmer wrote: > > > DES, > > > > Maybe you fail to see my point. I was wondering if there was a reason the > > FreeBSD team has decided not to allow certain ICMP's by default. > > I'm perfectly aware of how to change the rules to do what I want. I was > > asking if there was a reason for this decision, or if it was an oversight. > > > > > > ----- Original Message ----- > > From: "Dag-Erling Smorgrav" > > To: "Jeff Palmer" > > Cc: > > Sent: Sunday, February 24, 2002 7:16 AM > > Subject: Re: Couple of concerns with default rc.firewall > > > > > > > "Jeff Palmer" writes: > > > > Is there any reason in particular, that ALL icmp traffic is denied > > > > by default, except for using the 'open' ruleset? > > > > > > The default rule #65535 is "deny ip from any to any". Wouldn't you be > > > surprised if this *didn't* block all ICMP packets? > > > > > > Just add the following early on in your firewall ruleset: > > > > > > allow icmp from any to any icmptype 0,3,8,11 > > > > > > preferably *after* any anti-spoofing rules. > > > > > > DES > > > -- > > > Dag-Erling Smorgrav - des@ofug.org > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message