Date: Thu, 01 Dec 2011 18:45:48 -0500 From: Jon Radel <jon@radel.com> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: ipfw And ping Message-ID: <4ED811AC.4040901@radel.com> In-Reply-To: <4ED80CD0.8070709@tundraware.com> References: <4ED80CD0.8070709@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/1/11 6:25 PM, Tim Daneliuk wrote:
>
> I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine.
> Pings were not getting through so I added this near the top
> of the rule set:
>
> #####
> # Allow icmp
> #####
>
> ${FWCMD} add allow icmp from any to any
>
>
> It does work but, two questions:
>
> 1) Is there a better way?
Consider allowing only the ICMP that does things you want to do. Google
something like "icmp types to allow" for some hints and opinions. Just
as an example, you can independently control being able to ping others
and others being able to ping you.
> 2) Will this cause harm or otherwise expose the server to some
> vulnerability?
Well, if you allow all ICMP types, it's possible to make your little
packets go places you didn't really want them to go, and similar network
breakage. You can also find those who feel strongly that allowing
others to ping your machines gives them way too much information about
what you have at which IP address. On the other hand, working ping and
traceroute can be very handy to figure out what's wrong when the network
breaks. But do you open up access on your server?---well not so much,
though having said that I'm ready for somebody to remind me of some
obscure attack that uses ICMP for more than information gathering. :-)
--Jon Radel
jon@radel.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ED811AC.4040901>