Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 6 Oct 2002 03:49:11 +0300
From:      Giorgos Keramidas <keramida@freebsd.org>
To:        "Jack L. Stone" <jackstone@sage-one.net>
Cc:        "Patrick O'Reilly" <bsd@perimeter.co.za>, questions@freebsd.org, master <master@tyranz.com>
Subject:   Re: block icmp with ipfw
Message-ID:  <20021006004911.GB39351@hades.hell.gr>
In-Reply-To: <3.0.5.32.20021005193900.01199da8@mail.sage-one.net>
References:  <3.0.5.32.20021005085103.011d62c0@mail.sage-one.net> <3.0.5.32.20021005193900.01199da8@mail.sage-one.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-10-05 19:39, "Jack L. Stone" <jackstone@sage-one.net> wrote:
> At 09:41 PM 10.5.2002 +0300, Giorgos Keramidas wrote:
> >On 2002-10-05 08:51, Jack L. Stone wrote:
> >> At 03:41 PM 10.5.2002 +0200, Patrick O'Reilly wrote:
> >> >From: "master" <master@tyranz.com>
> >> > > hi all i would like to know the syntax of ipfw to block icmp ping?
> >> > > (echo and reply)
> >> >
> >> > ipfw add 123 deny ip from any to any icmtypes 8
> >>
> >> .... but if you still want to ping OUT....
> >> ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
> >
> >That will negate the effect of any firewall rules that "block" icmp
> >packets though, i.e. it's the opposite of what was asked :-)
>
> ....then answer the poster's question. I don't have the same other rule in
> conflict....

Pardon me sounding a bit offensive, if I did.  I meant that there is
no good rule that allows outgoing pings but blocks incoming ones.  You
can probably use something that depends on ipfw states, but icmp is
not really good at keeping states and dynamic rules will eat more
resources than simply blocking all icmps.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021006004911.GB39351>