Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 Dec 2011 20:56:15 -0600 (CST)
From:      Robert Bonomi <bonomi@mail.r-bonomi.com>
To:        freebsd-questions@freebsd.org, tundra@tundraware.com
Subject:   Re: ipfw And ping
Message-ID:  <201112020256.pB22uFTL005227@mail.r-bonomi.com>
In-Reply-To: <4ED80CD0.8070709@tundraware.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> From owner-freebsd-questions@freebsd.org  Thu Dec  1 17:27:19 2011
> Date: Thu, 01 Dec 2011 17:25:04 -0600
> From: Tim Daneliuk <tundra@tundraware.com>
> To: FreeBSD Mailing List <freebsd-questions@freebsd.org>
> Subject: ipfw And ping
>
> I have a fairly restrictive ipfw setup on  a FBSD 8.2-STABLE machine.
> Pings were not getting through so I added this near the top
> of the rule set:
>
>    #####
>    # Allow icmp
>    #####
>
>    ${FWCMD} add allow icmp from any to any
>
>
> It does work but, two questions:
>
> 1) Is there a better way?
> 2) Will this cause harm or otherwise expose the server to some vulnerability?

FIRST question: Are you trying to make _outgoing_ ping work, or let the 
outside  world 'ping' internal machines on your network?  What you wrote
is not clear on this point.



If it's just 'outgoing' pings you want, your rule is far too permissive.
And denying all ICMP traffic is far too restrictive for 'general' use..

Generally, you want to *allow* ICMP message types 3, 4, 12 in AND out.

Add type 8 out and type 0 in, to be able to ping from the inside to the 
outside world.

Add type 11 in to allow 'traceroute' from the inside to the outside world
to work.

Add type 0 out and type 8 in, to allow the outside world to ping your machines.

Add type 11 out to  allow the outside world to traceroute to internal hosts.

_I_ generally let the firewall _itself_ respond to any external-source
traceroutes, but to not pass ICMP type 11 out from interal machines.

Similarly, I let the firewall respond to pings adressed to it's _external_
interface, but silently drop anything addressed any further inside my
network.  (If they can _reach_ my firewall, then a problem, whatever it
is, *is* 'my problem' and that's all anybody on the outside needs to know,
or to tell me, if reporting a problem. :)





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?201112020256.pB22uFTL005227>