From owner-freebsd-security Fri Nov 24 3:43:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 1C47C37B479 for ; Fri, 24 Nov 2000 03:43:48 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eAOBgKQ17355; Fri, 24 Nov 2000 13:42:21 +0200 (EET) (envelope-from never) Date: Fri, 24 Nov 2000 13:42:19 +0200 From: Nevermind To: Dag-Erling Smorgrav Cc: Vlad , security@FreeBSD.ORG Subject: Re: ipf - icmp Message-ID: <20001124134218.A17181@nevermind.kiev.ua> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Fri, Nov 24, 2000 at 11:57:39AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Dag-Erling Smorgrav! On Fri, Nov 24, 2000 at 11:57:39AM +0100, you wrote: > Vlad writes: > > pass in quick on sis0 proto icmp from any to any icmp-type 0 > > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 3 > > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 4 > > pass in quick on sis0 proto icmp from any to any icmp-type timex > > pass out quick on sis0 proto icmp from any to any > > > > these entries will allow you to ping/traceroute anyone, will prohibit > > anyone from pinging/tracerouting you. > No. There is no way to completely prevent someone from tracerouting > you. You can make it slightly harder by blocking incoming UDP (which > your ruleset does not), but that's about it. Why not to use ipfw? ipfw add deny icmp from any to any via sis0 -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message