Re: Disallowing ping and traceroute from outside

• Previous message: root: "FW: sendmail upgrade on stable 4.9 ?"
• In reply to: Khoi Dinh: "Disallowing ping and traceroute from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: khoi@oddworld.com
Date: Fri, 25 Jun 2004 10:23:05 +1000

> Hi All,
>
> How do I configure ipfw2 to allow ping and traceroute from my internal
> network to the outside but not the other way around?

        Ping is usually ICMP ECHO out, ICMP ECHO REPLY in. It can
        however be implemented using UDP/TCP or any other protocol
        in a similar manner to traceroute. All it requires is some
        response to be returned. Both "udpping" and "tcpping" exist.

        If you want to block traceroute don't offer *any* services
        to the outside world and use stateful rules for outgoing
        traffic. traceroute works by causing systems to generate
        ICMP TIME EXCEEDED. You really don't want to block that
        going out.

        Traceroute really is not bad, nor is ping. Both are useful
        diagnostic tools.

        What was bad was "directed broadcasts". This used to be
        done w/ ICMP ECHO requests which then responsed to by all
        the systems in the broadcast domain. When this was being
        done the only solution was "block ICMP"/"block ICMP ECHO".

        Mark

> Thanks,
> Khoi
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

• Previous message: root: "FW: sendmail upgrade on stable 4.9 ?"
• In reply to: Khoi Dinh: "Disallowing ping and traceroute from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: New thread, broadcom 802-11 related ... It can now ping all the machines on my local network. ... And while it can resolve a tracerouted address, the traceroute itself is blocked before it gets to my router. ... The routing table on the lappy isn't sensible either after all this by hand stuff but I don't think thats it when I can ping all the locals, and ATM I'm ssh -X into 'wireless' which is an alias for diablo that hits the wireless ports address, from this machine. ... (Fedora) Re: Linux Routing Issue ... I'm hoping some of you network experts out there ... Ping uses ICMP. ... traceroute and ping should give identical results. ... (comp.os.linux.networking) Disallowing ping and traceroute from outside ... How do I configure ipfw2 to allow ping and traceroute from my internal ... network to the outside but not the other way around? ... (freebsd-stable) Re: Not visable in net work ... > computer in the network i can't ping this server. ... traceroute will tell you how you're getting there. ... (linux.redhat.misc) Re: Mshome is not accessible ... Windows Network, and select the workgroup I get: ... Mshome is not accessible. ... All computers are running Windows XP SP2 and are members of the MSHOME ... Computer A can ping using ping hom100fr001. ... (microsoft.public.windowsxp.network_web)