From owner-freebsd-security@FreeBSD.ORG Thu Sep 2 03:23:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEABC16A4CE for ; Thu, 2 Sep 2004 03:23:40 +0000 (GMT) Received: from metafocus.net (cbshost-12-155-142-123.sbcox.net [12.155.142.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60EEF43D3F for ; Thu, 2 Sep 2004 03:23:40 +0000 (GMT) (envelope-from mudman@metafocus.net) Received: from metafocus.net (localhost [127.0.0.1]) by metafocus.net (8.12.10/8.12.10) with ESMTP id i823bqgN031190 for ; Wed, 1 Sep 2004 20:37:52 -0700 (PDT) (envelope-from mudman@metafocus.net) Received: from localhost (mudman@localhost)i823bq1d031187 for ; Wed, 1 Sep 2004 20:37:52 -0700 (PDT) (envelope-from mudman@metafocus.net) Date: Wed, 1 Sep 2004 20:37:52 -0700 (PDT) From: Dave To: freebsd-security@freebsd.org Message-ID: <20040901203202.U31170@metafocus.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: IPFW and icmp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 03:23:40 -0000 I'm not a master of the internet RFCs, but I do believe icmp messages have different types. Now to enable traceroute for IPFW, I might put in a rule like this: ipfw add pass icmp from any to me However, how would I make a rule to limit icmp messages to just those used by traceroute? Can the messages be distinguished as such? A dynamic rule that exists only for the duration of a traceroute execution would be even better. I take it 'setup' or 'check-state' would follow in that case?