From owner-freebsd-questions Mon May 3 22:20:29 1999 Delivered-To: freebsd-questions@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id B96571578D for ; Mon, 3 May 1999 22:20:22 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-wat.sentex.net (ospf-wat.sentex.net [209.167.248.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id BAA29391; Tue, 4 May 1999 01:20:19 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: dwhite@resnet.uoregon.edu (Doug White) Cc: questions@freebsd.org Subject: Re: ICMP-attack Date: Tue, 04 May 1999 05:30:10 GMT Message-ID: <372e84d7.60848625@mail.sentex.net> References: <372DEB73.71F97568@qatar.net.qa> In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 3 May 1999 16:22:58 -0400, in sentex.lists.freebsd.questions you wrote: >On Mon, 3 May 1999, Fadi Sodah wrote: > >> What is the best firewall configuration to make smurf >> and ICMPs attack useless? > >deny icmp from any to any Actually, you want to be far more specific than that. You only want to disable icmp echo requests e.g assuming your outside interface is fxp0 ipfw add deny icmp from any to any in recv fxp0 icmptype 0,8 or just icmptype 8 allow your users to request pings. However, the problem is that despite denying ping requests, the damage is already done so to speak. If you connection is a t3, and someone sends 45Mbs of echo packets at you, it will already have traversed your link before your gateway eats them. Best to get your upstream to do it for you. ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message