Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 02 Sep 2004 12:05:26 -0500
From:      "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz>
To:        Dave <mudman@metafocus.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: IPFW and icmp
Message-ID:  <413752D6.4060100@daleco.biz>
In-Reply-To: <20040901203202.U31170@metafocus.net>
References:  <20040901203202.U31170@metafocus.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Dave wrote:

>I'm not a master of the internet RFCs, but I do believe icmp messages have
>different types.
>
>Now to enable traceroute for IPFW, I might put in a rule like this:
>
>ipfw add pass icmp from any to me
>
>However, how would I make a rule to limit icmp messages to just those used
>by traceroute?  Can the messages be distinguished as such?
>
>  
>

I use, thus far, "allow icmp from any to any icmptypes 0,3,4,8,11".  That
include 'echo request', of course.  Someone else may have a better idea.

>A dynamic rule that exists only for the duration of a traceroute execution
>would be even better.  I take it 'setup' or 'check-state' would follow in
>that case?
>
>  
>
Seems likely. *sigh* one more manpage to read.... ;-)

Kevin Kinsey



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?413752D6.4060100>