Date: Sun, 24 Feb 2002 10:30:23 -0500 From: "Jeff Palmer" <scorpio@drkshdw.org> To: "Dag-Erling Smorgrav" <des@ofug.org> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Couple of concerns with default rc.firewall Message-ID: <001101c1bd48$2df35020$0286a8c0@home.lan> References: <003b01c1bcda$d4f06020$0286a8c0@home.lan> <xzpy9hjulb4.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
DES, Maybe you fail to see my point. I was wondering if there was a reason the FreeBSD team has decided not to allow certain ICMP's by default. I'm perfectly aware of how to change the rules to do what I want. I was asking if there was a reason for this decision, or if it was an oversight. ----- Original Message ----- From: "Dag-Erling Smorgrav" <des@ofug.org> To: "Jeff Palmer" <scorpio@drkshdw.org> Cc: <freebsd-security@FreeBSD.ORG> Sent: Sunday, February 24, 2002 7:16 AM Subject: Re: Couple of concerns with default rc.firewall > "Jeff Palmer" <scorpio@drkshdw.org> writes: > > Is there any reason in particular, that ALL icmp traffic is denied > > by default, except for using the 'open' ruleset? > > The default rule #65535 is "deny ip from any to any". Wouldn't you be > surprised if this *didn't* block all ICMP packets? > > Just add the following early on in your firewall ruleset: > > allow icmp from any to any icmptype 0,3,8,11 > > preferably *after* any anti-spoofing rules. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101c1bd48$2df35020$0286a8c0>