Date: Sun, 17 Jan 1999 14:41:02 -0800 (PST) From: Archie Cobbs <archie@whistle.com> To: jjwolf@bleeding.com (Justin Wolf) Cc: ben@rosengart.com, madrapour@hotmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Small Servers - ICMP Redirect Message-ID: <199901172241.OAA21852@bubba.whistle.com> In-Reply-To: <007701be4256$f01ff740$02c3fe90@cisco.com> from Justin Wolf at "Jan 17, 99 12:20:45 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Justin Wolf writes: > >> 2) About ICMP redirect messages, as I learned they could be used to make > >> our network disconnected and somthing. What's the way to prevent this > >> kind of attack? Does blocking this kind of ICMP on firewall and routers > >> cause any problem in connectivity and system behavior? > > > >I would block these messages from entering my network, absolutely. > > Keep in mind that flatly blocking all ICMP messages will prevent traces and > pings both in and out of your network. It will also effect certain > services... The best way to tailor this is to block everything and loosen > it up as necessary to keep things from breaking. This is the ICMP rule we generally use: ipfw add 10 allow icmp from any to any in icmptypes 0,3,4,11,12,14,16,18 This allows "safe" ICMP's to get in, so that ping, traceroute, etc. work, while blocking potentially unsafe ICMP's. See /sys/netinet/ip_icmp.h for definitions of the ICMP types. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901172241.OAA21852>