ipfw And ping

Ian Smith smithi at nimnet.asn.au
Sun Dec 4 14:07:04 UTC 2011

In freebsd-questions Digest, Vol 391, Issue 10, Message: 25
On Sun, 04 Dec 2011 01:44:53 -0600 Tim Daneliuk <tundra at tundraware.com> wrote:
 > On 12/04/2011 01:04 AM, Ian Smith wrote:
 > <SNIP>
 > >
 > > For one, google 'icmp redirect attack'
 > But isn't that handled by setting:
 >     net.inet.icmp.drop_redirect=1

Yes, but generally clearer to allow what you want and drop the rest.

 > > # This is the ICMP rule we generally use:
 > > #   ipfw add 10 allow icmp from any to any in icmptypes 0,3,4,11,12,14,16,18
 > Hmmm.... I just tried this and it seems to break ping...

That doesn't allow inbound pings, no.  Add type 8 if you want to permit 
inbound pings from anywhere, or use eg my example to do so selectively.

If you mean outbound pings, well you still have to allow outbound ICMP 
after denying what you don't want inbound .. here it is again:

        $fwadd pass icmp from any to any in recv ${ext_if} ${recv_types}
        # omit the following line if you included type 8 in $recv_types
        $fwadd pass icmp from ${pingok} to any in recv ${ext_if} icmptypes 8
        $fwadd deny log icmp from any to any in recv ${ext_if}
        $fwadd pass icmp from any to any        # outbound, and inside

cheers, Ian  (Please cc me; I take questions@ as a digest, can be slow)

More information about the freebsd-questions mailing list