Re: How to config IPFW for enable ping and traceroute

From: Karsten W. Rohrbach (karsten@rohrbach.de)
Date: 09/29/01 

Date: Sat, 29 Sep 2001 01:31:48 +0200
From: "Karsten W. Rohrbach" <karsten@rohrbach.de>
To: gkshenaut@ucdavis.edu

stateful rules woud be better, i don't know if this can be done with
ipfw (but i guess it should work somehow).
that's the ipfilter config for getting traceroute to work, for those who
are interested...

---excerpt from /etc/ipfilter.rules:
# traceroute udp outgoing
pass out proto udp from 0.0.0.0/32 to any port 33433 >< 33499
keep state

# icmp handling
# echo=8
pass in quick proto icmp from any to 0.0.0.0/32 icmp-type 8 keep state
pass out quick proto icmp from 0.0.0.0/32 to any icmp-type 8 keep state
# traceroute=30
pass in quick proto icmp from any to 0.0.0.0/32 icmp-type 30 keep state
pass out quick proto icmp from 0.0.0.0/32 to any icmp-type 30 keep state
block in log quick proto icmp from any to any 

---
/k
Greg Shenaut(greg@bogslab.ucdavis.edu)@2001.09.27 10:35:53 +0000:
> In message <20010927061935.UUFZ16495.mta10.onebox.com@onebox.com>, "Chutima S." cleopede:
> >Hi
> >
> >I read from Firewall handbook as below:
> >icmptypes types 
> >Matches if the ICMP type is present in the list types. The list may be
> >specified as any combination of ranges and/or individual types separated
> >by commas. Commonly used ICMP types are: 0 echo reply (ping reply), 3
> >destination unreachable, 5 redirect, 8 echo request (ping request), and
> >11 time exceeded (used to indicate TTL expiration as with traceroute(8)).
> >
> >So I config ipfw for icmp as following:
> >
> >ipfw add pass icmp from <internal> to any icmptypes 8
> >ipfw add pass icmp from any to <internal> icmptypes 0
> >ipfw add pass icmp from any to <internal> icmptypes 11
> >
> >I can ping but I can not traceroute.  Anything wrong with my config?
> 
> Here is a scrap from the ksh script I use to generate my ipfw rules.
> It lets me ping and traceroute out, but accepts them only to my
> gateway box.  Note that it accepts any udp to a gateway interface
> in the standard range of traceroute ports (use of other ports will
> cause traceroute to fail).
> 
> "add" adds the rule, "alias" adds the rule for each alias of my
> external interface (using "printf", hence the "%s").  Variables
> {if,ip,mask,net}0 correspond to my external link; "{if,ip,net,mask}X"
> where X is 1-9 correspond to one of my internal subnets.
> 
> --- begin ---
> # ICMP
> # allow all ping and traceroute replies plus source quench
> add pass icmp from any to any icmptypes 0,3,4,11,12
> 
> # Allow ping of firewall machine but not beyond
> alias pass icmp from any to %s icmptypes 8
> alias pass icmp from %s to any icmptypes 8
> # NOTE: the next rule is a limited insecurity
> alias pass udp from any to %s 33434-33523
> alias pass udp from %s to any 33434-33523
> 
> # allow ping from any internal subnet
> for x in 1 2 3 4 5 6 7 8 9 ; do
> 	eval "iif=\$if$x"
> 	if [[ "$iif" = "" ]] ; then
> 		continue
> 	fi
> 	eval "inet=\$net$x"
> 	eval "imask=\$mask$x"
> 	eval "iip=\$ip$x"
> 	add pass icmp from ${inet}:${imask} to any icmptypes 8
> 	add pass udp from ${inet}:${imask} to any 33434-33523
> done
> 
> # explicitly deny other icmp packets across firewall
> add deny icmp from any to any via ${if0}
> ---end---
> 
> I hope this is helpful.
> 
> Greg Shenaut
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-- 
> Get the all-new Microsoft[tm] IIS (Internet Intrusion Server[tm])! Out now!
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Blocked incoming ICMP, getting outgoing ICMP [3] Destination Unreachable
    ... The real LBL traceroute ... icmp error in reponse to an icmp packet. ... icmp time exceeded in response to an icmp echo or echo reply. ... had created a b0rken network stack that could be kicked over by sending ...
    (comp.security.firewalls)
  • Re: icmp type 11 not go via nat POSTROUTING table
    ... everthing is working as it "should", there is no reason for a "ICMP ... I generated two test icmp packets ... This is how traceroute knows the IP of the ... If x.y.z.t is a private IP address, it cannot be tracerouted anyway, so ...
    (comp.os.linux.networking)
  • Re: ping not working
    ... abusing the network with ping commands. ... You're posting to a Red Hat group - try using traceroute. ... because RFC0791 as originally written said no ICMP can create ... UDP, and so on - the router manufacturers of the day were silently dropping ...
    (linux.redhat)
  • Re: Traceroute anomaly
    ... Hm - checking back on previous exchanges I have had over traceroute I ... I'm sorry I "muddied the water" with RFC 1393 and the IP "route ... Do remember that I said I used to teach ICMP and what seems to have ... generated when the packet which might give rise to the ICMP packet is ...
    (comp.dcom.sys.cisco)
  • Re: ICMP
    ... > Since a person tried do configure the sendmnail, the services FTP, ... > PING, TRACEROUTE arenīt working. ... > icmp. ...
    (comp.unix.tru64)