Date: Tue, 22 Jun 1999 08:19:31 -0400 (EDT) From: Pete Fritchman <petef@netreach.net> To: Brendan Conoboy <synk@swcp.com> Cc: freebsd-security@freebsd.org Subject: Re: ip firewall and icmp/dos. Message-ID: <Pine.GSO.3.96.990622081916.29628A-100000@borneo> In-Reply-To: <199906220449.WAA07759@kitsune.swcp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
and his message was in reference to the ip filter... --------------------------------------------- Pete Fritchman petef@netreach.net Netreach www.netreach.net System Administrator On Mon, 21 Jun 1999, Brendan Conoboy wrote: > > From: Pete Fritchman <petef@netreach.net> > > To: "Jason L. Schwab" <jschwab@telebot.net> > > Subject: Re: ip firewall and icmp/dos. > > > > man ipmon > > ipmon? Ipmon is the proggy that takes logs from IP filter, not ipfw. > > > On Mon, 21 Jun 1999, Jason L. Schwab wrote: > > > > > > Could someone please give me an example as to what lines I should add > > > to my ruleset > > > to keep from being Denial Of Service attacked and/or ICMP'd? Thanks. I > > > have IPFIREWALL and IPFIREWALL_VERBOSE as options in my kernel. and I > > > have the firewall_type set to "open" for > > > right now. > > > > > > Also, I know that the IPFIREWALL_VERBOSE turns on logging, how can I > > > see what it logs? > > Hi Jason. My first suggestion would be to use IPFILTER and IPFILTER_LOG > instead of IPFIREWALL and IPFIREWALL_VERBOSE, then you can use my handy > howto at http://www.swcp.com/~synk/ipf-howto.txt :-) Then you could > also use ipmon for logging, as was suggested. > > If you'd prefer sticking with IPFIREWALL (which uses the ipfw command), > I'd suggest taking a look at the ipfw(8) man page (type "man 8 ipfw"). > You should also take a look at /etc/rc.firewall. This is where the > "firewall_type" option is examined and rules are put into effect. You > can learn a bit from the examples in there. > > You can block and log all icmp traffic with: > > /sbin/ipfw add deny log icmp from any to YourIpAddress > > This will keep it from coming or going. If this is *really* what you > want to do (ping and traceroute will stop working), you'll need to > work that into rc.firewall. I'm not sure what Denial Of Service > attacks you're worried about so I don't know what's going to help you. > > Lastly, if you're really concerned about security of the system you're > working with, you might want somebody else to help you with the firewall. > The first attempts at them tend to be too loose or too tight, and > generally not what you're really going for. > > -Brendan (everybody who's locked themselves out with ipfw nod and smile:-) > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.3.96.990622081916.29628A-100000>