From owner-freebsd-questions@FreeBSD.ORG Fri Dec 2 02:54:39 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04416106566C for ; Fri, 2 Dec 2011 02:54:39 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (mx-out.r-bonomi.com [204.87.227.120]) by mx1.freebsd.org (Postfix) with ESMTP id C73928FC21 for ; Fri, 2 Dec 2011 02:54:38 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.4/rdb1) id pB22uFTL005227; Thu, 1 Dec 2011 20:56:15 -0600 (CST) Date: Thu, 1 Dec 2011 20:56:15 -0600 (CST) From: Robert Bonomi Message-Id: <201112020256.pB22uFTL005227@mail.r-bonomi.com> To: freebsd-questions@freebsd.org, tundra@tundraware.com In-Reply-To: <4ED80CD0.8070709@tundraware.com> Cc: Subject: Re: ipfw And ping X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 02:54:39 -0000 > From owner-freebsd-questions@freebsd.org Thu Dec 1 17:27:19 2011 > Date: Thu, 01 Dec 2011 17:25:04 -0600 > From: Tim Daneliuk > To: FreeBSD Mailing List > Subject: ipfw And ping > > I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. > Pings were not getting through so I added this near the top > of the rule set: > > ##### > # Allow icmp > ##### > > ${FWCMD} add allow icmp from any to any > > > It does work but, two questions: > > 1) Is there a better way? > 2) Will this cause harm or otherwise expose the server to some vulnerability? FIRST question: Are you trying to make _outgoing_ ping work, or let the outside world 'ping' internal machines on your network? What you wrote is not clear on this point. If it's just 'outgoing' pings you want, your rule is far too permissive. And denying all ICMP traffic is far too restrictive for 'general' use.. Generally, you want to *allow* ICMP message types 3, 4, 12 in AND out. Add type 8 out and type 0 in, to be able to ping from the inside to the outside world. Add type 11 in to allow 'traceroute' from the inside to the outside world to work. Add type 0 out and type 8 in, to allow the outside world to ping your machines. Add type 11 out to allow the outside world to traceroute to internal hosts. _I_ generally let the firewall _itself_ respond to any external-source traceroutes, but to not pass ICMP type 11 out from interal machines. Similarly, I let the firewall respond to pings adressed to it's _external_ interface, but silently drop anything addressed any further inside my network. (If they can _reach_ my firewall, then a problem, whatever it is, *is* 'my problem' and that's all anybody on the outside needs to know, or to tell me, if reporting a problem. :)