From owner-freebsd-security Mon Jun 21 21:49:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from kitsune.swcp.com (swcp.com [198.59.115.2]) by hub.freebsd.org (Postfix) with ESMTP id 733ED14DC3 for ; Mon, 21 Jun 1999 21:49:54 -0700 (PDT) (envelope-from synk@swcp.com) Received: (from synk@localhost) by kitsune.swcp.com (8.8.8/1.2.3) id WAA07759; Mon, 21 Jun 1999 22:49:53 -0600 (MDT) Date: Mon, 21 Jun 1999 22:49:53 -0600 (MDT) From: Brendan Conoboy Message-Id: <199906220449.WAA07759@kitsune.swcp.com> To: jschwab@telebot.net Subject: Re: ip firewall and icmp/dos. Cc: freebsd-security@FreeBSD.ORG, petef@netreach.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: Pete Fritchman > To: "Jason L. Schwab" > Subject: Re: ip firewall and icmp/dos. > > man ipmon ipmon? Ipmon is the proggy that takes logs from IP filter, not ipfw. > On Mon, 21 Jun 1999, Jason L. Schwab wrote: > > > > Could someone please give me an example as to what lines I should add > > to my ruleset > > to keep from being Denial Of Service attacked and/or ICMP'd? Thanks. I > > have IPFIREWALL and IPFIREWALL_VERBOSE as options in my kernel. and I > > have the firewall_type set to "open" for > > right now. > > > > Also, I know that the IPFIREWALL_VERBOSE turns on logging, how can I > > see what it logs? Hi Jason. My first suggestion would be to use IPFILTER and IPFILTER_LOG instead of IPFIREWALL and IPFIREWALL_VERBOSE, then you can use my handy howto at http://www.swcp.com/~synk/ipf-howto.txt :-) Then you could also use ipmon for logging, as was suggested. If you'd prefer sticking with IPFIREWALL (which uses the ipfw command), I'd suggest taking a look at the ipfw(8) man page (type "man 8 ipfw"). You should also take a look at /etc/rc.firewall. This is where the "firewall_type" option is examined and rules are put into effect. You can learn a bit from the examples in there. You can block and log all icmp traffic with: /sbin/ipfw add deny log icmp from any to YourIpAddress This will keep it from coming or going. If this is *really* what you want to do (ping and traceroute will stop working), you'll need to work that into rc.firewall. I'm not sure what Denial Of Service attacks you're worried about so I don't know what's going to help you. Lastly, if you're really concerned about security of the system you're working with, you might want somebody else to help you with the firewall. The first attempts at them tend to be too loose or too tight, and generally not what you're really going for. -Brendan (everybody who's locked themselves out with ipfw nod and smile:-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message