Date: Fri, 3 Sep 2004 09:15:31 -0400 (EDT) From: c0ldbyte <c0ldbyte@myrealbox.com> To: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 75, Issue 2 Message-ID: <20040903091313.B57210@eleanor.spectical.net> In-Reply-To: <20040903120107.3D61A16A4E0@hub.freebsd.org> References: <20040903120107.3D61A16A4E0@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Sep 2004 freebsd-security-request@freebsd.org wrote: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. Re: IPFW and icmp (Kevin D. Kinsey, DaleCo, S.P.) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 02 Sep 2004 12:05:26 -0500 > From: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz> > Subject: Re: IPFW and icmp > To: Dave <mudman@metafocus.net> > Cc: freebsd-security@freebsd.org > Message-ID: <413752D6.4060100@daleco.biz> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Dave wrote: > >> I'm not a master of the internet RFCs, but I do believe icmp messages have >> different types. >> >> Now to enable traceroute for IPFW, I might put in a rule like this: >> >> ipfw add pass icmp from any to me >> >> However, how would I make a rule to limit icmp messages to just those used >> by traceroute? Can the messages be distinguished as such? >> >> >> > > I use, thus far, "allow icmp from any to any icmptypes 0,3,4,8,11". That > include 'echo request', of course. Someone else may have a better idea. > >> A dynamic rule that exists only for the duration of a traceroute execution >> would be even better. I take it 'setup' or 'check-state' would follow in >> that case? >> >> >> > Seems likely. *sigh* one more manpage to read.... ;-) > > Kevin Kinsey > > ------------------------------ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > End of freebsd-security Digest, Vol 75, Issue 2 > *********************************************** > > You guys should check out this link here for the ICMP types. http://www.iana.org/assignments/icmp-parameters might help you out a little. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040903091313.B57210>