Date: Sun, 19 Jul 1998 09:40:34 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: Hallam Oaks P/L list account <maillist@oaks.com.au> Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG> Subject: Re: rc.firewall (was Re: Large-scale scan of SNMP ports) Message-ID: <Pine.BSF.3.96.980719082909.3806A-100000@aniwa.sky> In-Reply-To: <199807180456.OAA04248@mail.aussie.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 18 Jul 1998, Hallam Oaks P/L list account wrote: > ############################################################################### > # ALLOW ICMP ENTRIES > ############################################################################### > > # Allow ICMP from our local network - so PC's can ping things on the 'net > # Makes the us and the PC's vunerable to certain types of attacks > > # It would be nice if IPFW had the ability to 'see' an outgoing ICMP echo request, > # (which we could enable in one direction only), and then optionally automatically > # enable incoming ICMP to the sending IP address for a specified # of seconds. > # But it can't so we just leave it on all the time ... > $fwcmd add pass icmp from any to any I've just gotten to looking at icmp. I left this in overnight: 40000 28 2320 allow log icmp from any to xx.xx.xx.xx 40010 5 1032 allow log icmp from xx.xx.xx.xx to any where xx.xx.xx.xx is my machine's ip. what I've gotten back show's ICMP:11.0 packets coming in from local and distant routers, with no outgoing reply, and ICMP:4.0 and ICMP:8.0 packets coming in with an ICMP:0.0 reply to each. So far I don't understand a lot of what I found in icmp.h about these codes, so presumably I'll have to dig out the appropriate RFC in order to get a broader understanding of what icmp does and what I want to concern myself with. ------------------- # might be useful to someone # log incoming pings allow log icmp from any to xx.xx.xx.xx icmptype 8 # picks up traceroute probes, but probably other things as well allow log icmp from xx.xx.xx.xx to any icmptype 3 # this one will pick up a standard unix traceroute, but a doctored one # could use other ports allow udp from xx.xx.xx.xx to any 33400-33499 -------------------- Can anyone explain this... Took place within a second while I've been writing this, repeated 2 minutes later. yy.yy.yy.yy is a distant remote host ipfw: 40000 Accept ICMP:8.0 yy.yy.yy.yy xx.xx.xx.xx in via de0 ipfw: 40000 Accept ICMP:166.79 yy.yy.yy.yy xx.xx.xx.xx in via de0 Fragment = 69 ipfw: 40010 Accept ICMP:0.0 xx.xx.xx.xx yy.yy.yy.yy out via de0 Is the 79 in the middle line the port number of a fragmented packet? There's been some stuff about finger and nis lately. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980719082909.3806A-100000>