From owner-freebsd-questions Sat Oct 5 17:49:12 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 540CC37B401 for ; Sat, 5 Oct 2002 17:49:11 -0700 (PDT) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 498DC43E42 for ; Sat, 5 Oct 2002 17:49:10 -0700 (PDT) (envelope-from keramida@freebsd.org) Received: from hades.hell.gr (patr530-a173.otenet.gr [212.205.215.173]) by mailsrv.otenet.gr (8.12.6/8.12.6) with ESMTP id g960n76T002546; Sun, 6 Oct 2002 03:49:08 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.6/8.12.6) with ESMTP id g960nENT043894; Sun, 6 Oct 2002 03:49:14 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from keramida@localhost) by hades.hell.gr (8.12.6/8.12.6/Submit) id g960nCNH043883; Sun, 6 Oct 2002 03:49:12 +0300 (EEST) (envelope-from keramida@freebsd.org) Date: Sun, 6 Oct 2002 03:49:11 +0300 From: Giorgos Keramidas To: "Jack L. Stone" Cc: "Patrick O'Reilly" , questions@freebsd.org, master Subject: Re: block icmp with ipfw Message-ID: <20021006004911.GB39351@hades.hell.gr> References: <3.0.5.32.20021005085103.011d62c0@mail.sage-one.net> <3.0.5.32.20021005193900.01199da8@mail.sage-one.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3.0.5.32.20021005193900.01199da8@mail.sage-one.net> X-PGP-Fingerprint: C1EB 0653 DB8B A557 3829 00F9 D60F 941A 3186 03B6 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2002-10-05 19:39, "Jack L. Stone" wrote: > At 09:41 PM 10.5.2002 +0300, Giorgos Keramidas wrote: > >On 2002-10-05 08:51, Jack L. Stone wrote: > >> At 03:41 PM 10.5.2002 +0200, Patrick O'Reilly wrote: > >> >From: "master" > >> > > hi all i would like to know the syntax of ipfw to block icmp ping? > >> > > (echo and reply) > >> > > >> > ipfw add 123 deny ip from any to any icmtypes 8 > >> > >> .... but if you still want to ping OUT.... > >> ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} > > > >That will negate the effect of any firewall rules that "block" icmp > >packets though, i.e. it's the opposite of what was asked :-) > > ....then answer the poster's question. I don't have the same other rule in > conflict.... Pardon me sounding a bit offensive, if I did. I meant that there is no good rule that allows outgoing pings but blocks incoming ones. You can probably use something that depends on ipfw states, but icmp is not really good at keeping states and dynamic rules will eat more resources than simply blocking all icmps. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message