Date: Fri, 2 Jul 1999 10:34:49 -0700 (PDT) From: Julian Elischer <julian@whistle.com> To: Rowan Crowe <rowan@sensation.net.au> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: ipfw - can it deny ICMP "3.2" (type 3, subtype 2)? Message-ID: <Pine.BSF.3.95.990702103213.15074A-100000@current1.whistle.com> In-Reply-To: <Pine.BSF.4.01.9406101921340.2389-100000@velvet.sensation.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 10 Jun 1994, Rowan Crowe wrote: > Hi all, > > In the process of using tcpdump to check that traffic was flowing through > the correct links after some routing changes, I noticed an attack on one > of my users... > > 12:55:34.711241 193.230.186.164 > 203.20.114.159: icmp: 207.114.0.144 protocol 6 unreachable > > I added in a temporary ipfw block to deny and log anything from that IP: > > Jul 2 12:55:58 satin /kernel: ipfw: 1 Deny ICMP:3.2 193.230.186.164 203.20.114.159 in via ppp0 > Jul 2 12:56:25 satin last message repeated 1736 times > > As this is a reasonably common attack and fairly simplistic in nature I > thought I might be able to get ipfw to block it. However, after some head > scratching and reading of the man pages it seems that ipfw will not allow > me to block a "subtype" such as the '.2' in 3.2. > > satin# ipfw a 1 deny icmp from 1.2.3.4 to 1.2.3.4 icmptypes 3.2 > ipfw: error: invalid ICMP type > > I can't just blanket block type 3 as that's destination unreachable, which > generally is a legitimate ICMP message that should be passed. > > Any ideas? a patch to /sys/netinet/ip_fw.c that implements this and /usr/src/sbin/ipfw would not be too hard for you to write if you wanted that functionality, and we could certainly commit it if you did.. :-) julian > > Cheers. > > > -- > Rowan Crowe http://www.rowan.sensation.net.au/ > Sensation Internet Services http://www.sensation.net.au/ > Melbourne, Australia Phone: +61-3-9388-9260 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.990702103213.15074A-100000>