From owner-freebsd-questions@FreeBSD.ORG Sun Dec 4 14:07:04 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 378071065740 for ; Sun, 4 Dec 2011 14:07:04 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id B04E58FC15 for ; Sun, 4 Dec 2011 14:07:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id pB4E6xD8013497; Mon, 5 Dec 2011 01:07:01 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 5 Dec 2011 01:06:59 +1100 (EST) From: Ian Smith To: Tim Daneliuk In-Reply-To: <20111204120037.E129E10656B1@hub.freebsd.org> Message-ID: <20111205003753.Q3548@sola.nimnet.asn.au> References: <20111204120037.E129E10656B1@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: Re: ipfw And ping X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2011 14:07:04 -0000 In freebsd-questions Digest, Vol 391, Issue 10, Message: 25 On Sun, 04 Dec 2011 01:44:53 -0600 Tim Daneliuk wrote: > On 12/04/2011 01:04 AM, Ian Smith wrote: > > > > > > For one, google 'icmp redirect attack' > > But isn't that handled by setting: > > > net.inet.icmp.drop_redirect=1 Yes, but generally clearer to allow what you want and drop the rest. > > # This is the ICMP rule we generally use: > > # ipfw add 10 allow icmp from any to any in icmptypes 0,3,4,11,12,14,16,18 > > > Hmmm.... I just tried this and it seems to break ping... That doesn't allow inbound pings, no. Add type 8 if you want to permit inbound pings from anywhere, or use eg my example to do so selectively. If you mean outbound pings, well you still have to allow outbound ICMP after denying what you don't want inbound .. here it is again: $fwadd pass icmp from any to any in recv ${ext_if} ${recv_types} # omit the following line if you included type 8 in $recv_types $fwadd pass icmp from ${pingok} to any in recv ${ext_if} icmptypes 8 $fwadd deny log icmp from any to any in recv ${ext_if} $fwadd pass icmp from any to any # outbound, and inside cheers, Ian (Please cc me; I take questions@ as a digest, can be slow)