From owner-freebsd-security  Tue Jun 22  5:17:48 1999
Delivered-To: freebsd-security@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 65AEE15089
	for <freebsd-security@FreeBSD.ORG>; Tue, 22 Jun 1999 05:17:32 -0700 (PDT)
	(envelope-from des@flood.ping.uio.no)
Received: (from des@localhost)
	by flood.ping.uio.no (8.9.3/8.9.1) id OAA83916;
	Tue, 22 Jun 1999 14:17:20 +0200 (CEST)
	(envelope-from des)
To: Dean <dean@thegrid.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ip firewall and icmp/dos.
References: <376E9ECA.F30CC3FC@telebot.net> <4.1.19990621221636.0091fac0@mail.thegrid.net>
From: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: 22 Jun 1999 14:17:20 +0200
In-Reply-To: Dean's message of "Mon, 21 Jun 1999 22:35:39 -0700"
Message-ID: <xzpyahcjupb.fsf@flood.ping.uio.no>
Lines: 11
X-Mailer: Gnus v5.5/Emacs 19.34
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Dean <dean@thegrid.net> writes:
> allow icmp from any to any in icmptype 0,3,4,11,12,14,16

4,12,14,16 are unnecessary. You only need 0,3,11 (and 8 if you're not
afraid of being ping-flooded - see ICMP_BANDLIM). I use:

pass icmp from any to any icmptype 0,3,8,11

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message