From owner-freebsd-questions Mon Oct 7 7: 6:28 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C69E537B401 for ; Mon, 7 Oct 2002 07:06:26 -0700 (PDT) Received: from lurza.secnetix.de (lurza.secnetix.de [212.66.1.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id E705C43E4A for ; Mon, 7 Oct 2002 07:06:25 -0700 (PDT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [IPv6:::1]) by lurza.secnetix.de (8.12.5/8.12.5) with ESMTP id g97E6NmC087363 for ; Mon, 7 Oct 2002 16:06:24 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.12.5/8.12.5/Submit) id g97E6Nlc087362; Mon, 7 Oct 2002 16:06:23 +0200 (CEST) Date: Mon, 7 Oct 2002 16:06:23 +0200 (CEST) Message-Id: <200210071406.g97E6Nlc087362@lurza.secnetix.de> From: Oliver Fromme To: freebsd-questions@FreeBSD.ORG Reply-To: freebsd-questions@FreeBSD.ORG Subject: Re: block icmp with ipfw In-Reply-To: <20021007093549.GA7137@submonkey.net> X-Newsgroups: list.freebsd-questions User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.6-STABLE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ceri Davies wrote: > add 00602 allow icmp from any to any icmptypes 8 out > add 00603 allow icmp from any to any icmptypes 0 in > ... > default deny You should really do it the other way around: let all ICMP types through, _except_ for those that you don't want (i.e. ICMP ECHO). You will probably want several things to work correctly which depend on ICMP, such as path MTU discovery (RFC1191), detection of unreachable destinations or networks, and similar things. ICMP means internet control message protocol -- without it, several internet-related things just don't work. Personally, I wouldn't block ICMP at all, not even ICMP ECHO. FreeBSD's ICMP bandwidth limit handles the usual situations where you'd want to limit ICMP pretty well. $ sysctl net.inet.icmp.icmplim net.inet.icmp.icmplim: 200 Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message