Date: Mon, 7 Oct 2002 16:06:23 +0200 (CEST) From: Oliver Fromme <olli@secnetix.de> To: freebsd-questions@FreeBSD.ORG Subject: Re: block icmp with ipfw Message-ID: <200210071406.g97E6Nlc087362@lurza.secnetix.de> In-Reply-To: <20021007093549.GA7137@submonkey.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Ceri Davies <setantae@submonkey.net> wrote: > add 00602 allow icmp from any to any icmptypes 8 out > add 00603 allow icmp from any to any icmptypes 0 in > ... > default deny You should really do it the other way around: let all ICMP types through, _except_ for those that you don't want (i.e. ICMP ECHO). You will probably want several things to work correctly which depend on ICMP, such as path MTU discovery (RFC1191), detection of unreachable destinations or networks, and similar things. ICMP means internet control message protocol -- without it, several internet-related things just don't work. Personally, I wouldn't block ICMP at all, not even ICMP ECHO. FreeBSD's ICMP bandwidth limit handles the usual situations where you'd want to limit ICMP pretty well. $ sysctl net.inet.icmp.icmplim net.inet.icmp.icmplim: 200 Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210071406.g97E6Nlc087362>