From owner-freebsd-questions@FreeBSD.ORG Fri Dec 2 14:57:56 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A8CE1065672 for ; Fri, 2 Dec 2011 14:57:56 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id B59848FC14 for ; Fri, 2 Dec 2011 14:57:54 +0000 (UTC) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 10454846; Thu, 01 Dec 2011 18:46:02 -0500 Received: from [192.168.43.232] (account jon@radel.com HELO gravenstein.local) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP-TLS id 10454844; Thu, 01 Dec 2011 18:45:48 -0500 Message-ID: <4ED811AC.4040901@radel.com> Date: Thu, 01 Dec 2011 18:45:48 -0500 From: Jon Radel User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Tim Daneliuk References: <4ED80CD0.8070709@tundraware.com> In-Reply-To: <4ED80CD0.8070709@tundraware.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer Cc: FreeBSD Mailing List Subject: Re: ipfw And ping X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2011 14:57:56 -0000 On 12/1/11 6:25 PM, Tim Daneliuk wrote: > > I have a fairly restrictive ipfw setup on a FBSD 8.2-STABLE machine. > Pings were not getting through so I added this near the top > of the rule set: > > ##### > # Allow icmp > ##### > > ${FWCMD} add allow icmp from any to any > > > It does work but, two questions: > > 1) Is there a better way? Consider allowing only the ICMP that does things you want to do. Google something like "icmp types to allow" for some hints and opinions. Just as an example, you can independently control being able to ping others and others being able to ping you. > 2) Will this cause harm or otherwise expose the server to some > vulnerability? Well, if you allow all ICMP types, it's possible to make your little packets go places you didn't really want them to go, and similar network breakage. You can also find those who feel strongly that allowing others to ping your machines gives them way too much information about what you have at which IP address. On the other hand, working ping and traceroute can be very handy to figure out what's wrong when the network breaks. But do you open up access on your server?---well not so much, though having said that I'm ready for somebody to remind me of some obscure attack that uses ICMP for more than information gathering. :-) --Jon Radel jon@radel.com