Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Sep 2004 09:15:31 -0400 (EDT)
From:      c0ldbyte <c0ldbyte@myrealbox.com>
To:        freebsd-security@freebsd.org
Subject:   Re: freebsd-security Digest, Vol 75, Issue 2
Message-ID:  <20040903091313.B57210@eleanor.spectical.net>
In-Reply-To: <20040903120107.3D61A16A4E0@hub.freebsd.org>
References:  <20040903120107.3D61A16A4E0@hub.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Sep 2004 freebsd-security-request@freebsd.org wrote:

> Send freebsd-security mailing list submissions to
> 	freebsd-security@freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with subject or body 'help' to
> 	freebsd-security-request@freebsd.org
>
> You can reach the person managing the list at
> 	freebsd-security-owner@freebsd.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-security digest..."
>
>
> Today's Topics:
>
>   1. Re: IPFW and icmp (Kevin D. Kinsey, DaleCo, S.P.)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 02 Sep 2004 12:05:26 -0500
> From: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz>
> Subject: Re: IPFW and icmp
> To: Dave <mudman@metafocus.net>
> Cc: freebsd-security@freebsd.org
> Message-ID: <413752D6.4060100@daleco.biz>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Dave wrote:
>
>> I'm not a master of the internet RFCs, but I do believe icmp messages have
>> different types.
>>
>> Now to enable traceroute for IPFW, I might put in a rule like this:
>>
>> ipfw add pass icmp from any to me
>>
>> However, how would I make a rule to limit icmp messages to just those used
>> by traceroute?  Can the messages be distinguished as such?
>>
>>
>>
>
> I use, thus far, "allow icmp from any to any icmptypes 0,3,4,8,11".  That
> include 'echo request', of course.  Someone else may have a better idea.
>
>> A dynamic rule that exists only for the duration of a traceroute execution
>> would be even better.  I take it 'setup' or 'check-state' would follow in
>> that case?
>>
>>
>>
> Seems likely. *sigh* one more manpage to read.... ;-)
>
> Kevin Kinsey
>
> ------------------------------
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>
> End of freebsd-security Digest, Vol 75, Issue 2
> ***********************************************
>
>

You guys should check out this link here for the ICMP types.
http://www.iana.org/assignments/icmp-parameters might help
you out a little.

       This e-mail may be privileged and/or confidential, and the sender
does not waive any related rights and obligations. Any distribution, use
or copying of this e-mail or the information it contains by other than an
intended recipient is unauthorized. If you received this e-mail in error,
please advise me (by return e-mail or otherwise) immediately.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040903091313.B57210>