Date: 24 Nov 2000 11:57:39 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: Vlad <tmd@tmd.df.ru> Cc: security@FreeBSD.ORG Subject: Re: ipf - icmp Message-ID: <xzp66ldtz6k.fsf@flood.ping.uio.no> In-Reply-To: Vlad's message of "Thu, 23 Nov 2000 14:35:56 -0500 (EST)" References: <Pine.BSF.4.21.0011231431360.18361-100000@tmd.df.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Vlad <tmd@tmd.df.ru> writes: > pass in quick on sis0 proto icmp from any to any icmp-type 0 > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 3 > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 4 > pass in quick on sis0 proto icmp from any to any icmp-type timex > pass out quick on sis0 proto icmp from any to any > > these entries will allow you to ping/traceroute anyone, will prohibit > anyone from pinging/tracerouting you. No. There is no way to completely prevent someone from tracerouting you. You can make it slightly harder by blocking incoming UDP (which your ruleset does not), but that's about it. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp66ldtz6k.fsf>