From owner-freebsd-questions@FreeBSD.ORG Thu Dec 1 23:25:11 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFF1D1065670 for ; Thu, 1 Dec 2011 23:25:11 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73]) by mx1.freebsd.org (Postfix) with ESMTP id A3F3B8FC0C for ; Thu, 1 Dec 2011 23:25:11 +0000 (UTC) Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2]) (authenticated bits=0) by ozzie.tundraware.com (8.14.5/8.14.5) with ESMTP id pB1NP4Uk002739 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 1 Dec 2011 17:25:04 -0600 (CST) (envelope-from tundra@tundraware.com) Message-ID: <4ED80CD0.8070709@tundraware.com> Date: Thu, 01 Dec 2011 17:25:04 -0600 From: Tim Daneliuk User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110922 Thunderbird/3.1.15 MIME-Version: 1.0 To: FreeBSD Mailing List Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (ozzie.tundraware.com [192.168.0.1]); Thu, 01 Dec 2011 17:25:04 -0600 (CST) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: pB1NP4Uk002739 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No Subject: ipfw And ping X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 23:25:12 -0000 I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. Pings were not getting through so I added this near the top of the rule set: ##### # Allow icmp ##### ${FWCMD} add allow icmp from any to any It does work but, two questions: 1) Is there a better way? 2) Will this cause harm or otherwise expose the server to some vulnerability?