From owner-freebsd-security Mon Jun 21 22:43:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.thegrid.net (smtp.thegrid.net [209.162.1.11]) by hub.freebsd.org (Postfix) with SMTP id 8D22914D36 for ; Mon, 21 Jun 1999 22:43:36 -0700 (PDT) (envelope-from dean@thegrid.net) Received: (qmail 24366 invoked from network); 22 Jun 1999 05:43:36 -0000 Received: from pop.thegrid.net (209.162.1.5) by smtp.thegrid.net with SMTP; 22 Jun 1999 05:43:36 -0000 Received: from zippy (lax-ts6-h1-54-27.ispmodems.net [209.162.54.27]) by pop.thegrid.net (8.9.1a/8.9.1) with SMTP id WAA12832 for ; Mon, 21 Jun 1999 22:43:34 -0700 (PDT) Message-Id: <4.1.19990621221636.0091fac0@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 21 Jun 1999 22:35:39 -0700 To: freebsd-security@FreeBSD.ORG From: Dean Subject: Re: ip firewall and icmp/dos. In-Reply-To: References: <376E9ECA.F30CC3FC@telebot.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can find the rfc for icmp at http://www.faqs.org/rfcs/rfc792.html. To get down to business, here's my ipfw line for icmp. allow icmp from any to any in icmptype 0,3,4,11,12,14,16 So, coming in, I allow Echo Reply, Destination Unreachable, Source Quench, Time Exceeded, Parameter Problem, Timestamp Reply, and Information Reply. Everything else should be blocked. I allow anything out past my firewall. For more opinions on this, dredge through the security mailing list archives at http://www.FreeBSD.org. As far as the other DoS's go, you should not allow anything you don't explicitly need. There are many types of DoS's available to the modern script kiddie.... Many of them do not rely on weakness in protocols. (feeding a 1024 username to an ftp server) Anyway, read up on the bugtraq mailing list. (http://www.geek-girl.com/bugtraq) Dean At 05:05 PM 6/21/99 -0400, you wrote: >man ipmon > >--------------------------------------------- >Pete Fritchman petef@netreach.net >Netreach www.netreach.net >System Administrator > >On Mon, 21 Jun 1999, Jason L. Schwab wrote: > >> >> Could someone please give me an example as to what lines I should add >> to my ruleset >> to keep from being Denial Of Service attacked and/or ICMP'd? Thanks. I >> have IPFIREWALL and IPFIREWALL_VERBOSE as options in my kernel. and I >> have the firewall_type set to "open" for >> right now. >> >> Also, I know that the IPFIREWALL_VERBOSE turns on logging, how can I >> see what it logs? >> >> -- thanks >> >> >> _____________________________________________________________________________ >> World's First Provider of FREE 800# U.S. Toll Free Voicemail to Email Service >> Get your own FREE voicemail, fax and Paging account at http://www.telebot.com >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message ------------------------------------------------------------------------------- A train stops at a train station, a bus stops at a bus staion. On my desk, I have a workstation.... ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message