Re: [masq] icmp

Sat, 23 Jan 1999 17:27:29 -0500 

Ron Tolton <[EMAIL PROTECTED]> wrote:
>
> I have been using ip_masq for several months now and but one thing
> still escapes me, does anyone out there know how to block ICMP
> requests from being transmitted back to the host?

You should heed the warnings of others on this list, about blindly
disabling ICMP on your firewall.  However, it sounds like you merely
want to block some particular ICMP messages; this might not be such a
bad thing.

Some people seem to be saying that you can block incoming ICMP but not
outgoing.  That doesn't make sense, because, for instance, a ping
command sends an outgoing ICMP ECHO packet, and expects to see an
incoming ICMP ECHO-REPLY packet.  Both directions need to work, in order
for the traceroute to succeed.

Perhaps you could give some indication of what exactly you're trying to
block.

My guess is that you don't want people to be able to ping your firewall;
you want it to appear that there's nothing there.  This is a reasonable
request.  All you have to do, then, is to disable ICMP ECHO packets that
are destined for your firewall's external IP address.

    ipchains -A input -j DENY -p icmp -i ppp+ -l -d 0/0 8
                              ^^^^^^^   ^^^^^ ^^        ^^

This rule should deny all ICMP packets coming into our external
interface, and log them, but only if they are ICMP ECHO-REQUEST packets
(basically, a ping request).  All other ICMP would hopefully be allowed,
then, by your current rulesets.

If you speak ipfwadm, I think it goes something like this:

    ipfwadm -I -a deny -P icmp -W ppp0 -o -S 0/0 -D 0/0 8


Now, that all being said, I tried this, and... it doesn't work. 
However, I lack the time to figure out why.  Does anyone see something
wrong with what I've written here??

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)      || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/      ||                       -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Reply via email to