From owner-freebsd-security  Sun Aug 16 19:02:39 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA23282
          for freebsd-security-outgoing; Sun, 16 Aug 1998 19:02:39 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mercury.webnology.com (mercury.webnology.com [209.155.51.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA23277
          for <security@FreeBSD.ORG>; Sun, 16 Aug 1998 19:02:37 -0700 (PDT)
          (envelope-from jooji@webnology.com)
Received: from localhost (jooji@localhost)
	by mercury.webnology.com (8.9.0/8.8.7) with SMTP id VAA30710;
	Sun, 16 Aug 1998 21:06:54 -0500
Date: Sun, 16 Aug 1998 21:06:54 -0500 (CDT)
From: "Jasper O'Malley" <jooji@webnology.com>
To: Joao Paulo Campello <john@neoplanos.com.br>
cc: security@FreeBSD.ORG
Subject: Re: hosts.deny/allow & ICMP Attacks
In-Reply-To: <3.0.5.32.19980816210952.007c5b20@neoplanos.com.br>
Message-ID: <Pine.LNX.4.02.9808162101070.30290-100000@mercury.webnology.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 16 Aug 1998, Joao Paulo Campello wrote:

> #1
> 
> 	Does anybody here know if there's any way to break hosts.deny/allow
> protection in BSD or even Linux Systems?

Find an exploit in tcpd or otherwise gain root on the system in question.

> #2
> 
> 	Is there any filter/firewall/thing I can do for blocking ICMP Attacks?
> Like ICMP Type 8 (PING) or ICMP Type 3 (UNREACH) ?!?! Ooho, sorry... I know
> I can use *ifpw* to filter these packets and not to respond the PING, for
> example... But in this way my incoming link would be fully filled anyway...
> 	So how can I filter in the router level, and be sure the PINGs will not
> fill my incoming link?

Most modern routers provide packet filtering capabilities (a la ipfw); the
better routers can do it at wire speed. With a Cisco, for instance, you
can use an access-list to drop all ICMP packets before they make it onto
your internal network. At that point, you only have to worry about having
your external link flooded. If you have a decent router, even if your
external link is completely overrun with non-legit traffic, your internal
network should continue to work dandily (although you may not have
external connectivity).

Cheers,
Mick

The Reverend Jasper P. O'Malley          dotdot:jooji@webnology.com
    Systems Administrator                  ringring:asktheadmiral
	Webnology, LLC               woowoo:http://www.webnology.com/~jooji


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message