Re: IPFW and icmp

From: Kevin D. Kinsey, DaleCo, S.P. (kdk_at_daleco.biz)
Date: 09/02/04

  • Next message: c0ldbyte: "Re: freebsd-security Digest, Vol 75, Issue 2"
    Date: Thu, 02 Sep 2004 12:05:26 -0500
    To: Dave <mudman@metafocus.net>
    
    

    Dave wrote:

    >I'm not a master of the internet RFCs, but I do believe icmp messages have
    >different types.
    >
    >Now to enable traceroute for IPFW, I might put in a rule like this:
    >
    >ipfw add pass icmp from any to me
    >
    >However, how would I make a rule to limit icmp messages to just those used
    >by traceroute? Can the messages be distinguished as such?
    >
    >
    >

    I use, thus far, "allow icmp from any to any icmptypes 0,3,4,8,11". That
    include 'echo request', of course. Someone else may have a better idea.

    >A dynamic rule that exists only for the duration of a traceroute execution
    >would be even better. I take it 'setup' or 'check-state' would follow in
    >that case?
    >
    >
    >
    Seems likely. *sigh* one more manpage to read.... ;-)

    Kevin Kinsey
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: c0ldbyte: "Re: freebsd-security Digest, Vol 75, Issue 2"