Date: Thu, 02 Sep 2004 12:05:26 -0500 From: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz> To: Dave <mudman@metafocus.net> Cc: freebsd-security@freebsd.org Subject: Re: IPFW and icmp Message-ID: <413752D6.4060100@daleco.biz> In-Reply-To: <20040901203202.U31170@metafocus.net> References: <20040901203202.U31170@metafocus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Dave wrote: >I'm not a master of the internet RFCs, but I do believe icmp messages have >different types. > >Now to enable traceroute for IPFW, I might put in a rule like this: > >ipfw add pass icmp from any to me > >However, how would I make a rule to limit icmp messages to just those used >by traceroute? Can the messages be distinguished as such? > > > I use, thus far, "allow icmp from any to any icmptypes 0,3,4,8,11". That include 'echo request', of course. Someone else may have a better idea. >A dynamic rule that exists only for the duration of a traceroute execution >would be even better. I take it 'setup' or 'check-state' would follow in >that case? > > > Seems likely. *sigh* one more manpage to read.... ;-) Kevin Kinsey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?413752D6.4060100>