Re: allowing icmp still doesn't allow traceroute
From: Bob K (melange@yip.org)
Date: 02/27/02
- Next message: Michael Sharp: "cvsup"
- Previous message: Alex Kiesel: "Re: allowing icmp still doesn't allow traceroute"
- In reply to: Bob K: "Re: allowing icmp still doesn't allow traceroute"
- Next in thread: Alex Kiesel: "Re: allowing icmp still doesn't allow traceroute"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Feb 2002 17:27:45 -0500 From: Bob K <melange@yip.org> To: freebsd-security@FreeBSD.ORG
On Wed, Feb 27, 2002 at 05:22:39PM -0500, Bob K wrote:
> On Wed, Feb 27, 2002 at 05:09:28PM -0500, Peter C. Lai wrote:
> > I have:
> > 00600 allow icmp from any to any
> >
> > for ipfw, and i still get sendto Permission denied when
> > I try to traceroute.
> >
> > I later also explicitly defined icmptypes 0,3,8,11,13
> > and this does not solve the problem.
> >
> > any suggestions?
>
> Add a rule such as this one:
>
> add <number> unreach port udp from any to any 33434-33524 in recv <iface>
Sigh, didn't read closely enough, sorry. That'll allow other people to
traceroute to you. You want to allow UDP packets in that above range
leaving your machine - this should do it:
allow udp from any to any 33434-33524 out xmit <iface>
(the "out xmit <iface>" part is optional, depending on the rest of your
rules)
-- Bob <melange@yip.org> | It's pretty good, if you don't think about it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Michael Sharp: "cvsup"
- Previous message: Alex Kiesel: "Re: allowing icmp still doesn't allow traceroute"
- In reply to: Bob K: "Re: allowing icmp still doesn't allow traceroute"
- Next in thread: Alex Kiesel: "Re: allowing icmp still doesn't allow traceroute"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
