Date: Mon, 5 Dec 2011 01:06:59 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Tim Daneliuk <tundra@tundraware.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw And ping Message-ID: <20111205003753.Q3548@sola.nimnet.asn.au> In-Reply-To: <20111204120037.E129E10656B1@hub.freebsd.org> References: <20111204120037.E129E10656B1@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 391, Issue 10, Message: 25
On Sun, 04 Dec 2011 01:44:53 -0600 Tim Daneliuk <tundra@tundraware.com> wrote:
> On 12/04/2011 01:04 AM, Ian Smith wrote:
> <SNIP>
>
> >
> > For one, google 'icmp redirect attack'
>
> But isn't that handled by setting:
>
>
> net.inet.icmp.drop_redirect=1
Yes, but generally clearer to allow what you want and drop the rest.
> > # This is the ICMP rule we generally use:
> > # ipfw add 10 allow icmp from any to any in icmptypes 0,3,4,11,12,14,16,18
>
>
> Hmmm.... I just tried this and it seems to break ping...
That doesn't allow inbound pings, no. Add type 8 if you want to permit
inbound pings from anywhere, or use eg my example to do so selectively.
If you mean outbound pings, well you still have to allow outbound ICMP
after denying what you don't want inbound .. here it is again:
$fwadd pass icmp from any to any in recv ${ext_if} ${recv_types}
# omit the following line if you included type 8 in $recv_types
$fwadd pass icmp from ${pingok} to any in recv ${ext_if} icmptypes 8
$fwadd deny log icmp from any to any in recv ${ext_if}
$fwadd pass icmp from any to any # outbound, and inside
cheers, Ian (Please cc me; I take questions@ as a digest, can be slow)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111205003753.Q3548>