Disallowing ping and traceroute from outside

Mark Andrews Mark_Andrews at isc.org
Thu Jun 24 17:23:24 PDT 2004


> Hi All,
> 
> How do I configure ipfw2 to allow ping and traceroute from my internal
> network to the outside but not the other way around?

	Ping is usually ICMP ECHO out, ICMP ECHO REPLY in.  It can
	however be implemented using UDP/TCP or any other protocol
	in a similar manner to traceroute.  All it requires is some
	response to be returned.  Both "udpping" and "tcpping" exist.

	If you want to block traceroute don't offer *any* services
	to the outside world and use stateful rules for outgoing
	traffic.  traceroute works by causing systems to generate
	ICMP TIME EXCEEDED.  You really don't want to block that
	going out.

	Traceroute really is not bad, nor is ping.  Both are useful
	diagnostic tools.

	What was bad was "directed broadcasts".  This used to be
	done w/ ICMP ECHO requests which then responsed to by all
	the systems in the broadcast domain.  When this was being
	done the only solution was "block ICMP"/"block ICMP ECHO".

	Mark

> Thanks,
> Khoi
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the freebsd-stable mailing list