Date: Thu, 17 Aug 2000 11:29:07 +0200 From: Manfredi Blasucci <sonoro@inet.it> To: "Rashid N. Achilov" <achilov@granch.ru> Cc: Erick Mechler <emechler@sendmail.com>, freebsd-security@FreeBSD.ORG Subject: Re: deny incoming icmp Message-ID: <399BB063.EB511C8A@inet.it> References: <XFMail.000817160509.shelton@sentry.granch.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
"Rashid N. Achilov" wrote:
>
> Sorry, more precision...
>
> I have a firewall, protecting my network. IPFIREWALL, IPFIREWALL_VERBOSE, IPFIREWALL_FORWARD
> enabled. What can I allow icmp from our network any deny/fake incoming to our network icmp?
> --
Try with those:
${fwcmd} add allow log icmp from any to $ip via $eth out
${fwcmd} add allow log icmp from any to $ip via $eth in icmp 0 <- Echo Reply
${fwcmd} add allow log icmp from any to $ip via $eth in icmp 3 <- Destination Unreachable
${fwcmd} add allow log icmp from any to $ip via $eth in icmp 8 <- Echo
${fwcmd} add allow log icmp from any to $ip via $eth in icmp 11 <- Time Exceded
${fwcmd} add allow log icmp from any to $ip via $eth in icmp 12 <- Parameter Problem
See also http://www.sys-security.com/archive/papers/ICMP_Scanning.pdf.
Bye,
Manf
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?399BB063.EB511C8A>