> Hi All,
>
> How do I configure ipfw2 to allow ping and traceroute from my internal
> network to the outside but not the other way around?
Ping is usually ICMP ECHO out, ICMP ECHO REPLY in. It can
however be implemented using UDP/TCP or any other protocol
in a similar manner to traceroute. All it requires is some
response to be returned. Both "udpping" and "tcpping"
exist.
If you want to block traceroute don't offer *any* services
to the outside world and use stateful rules for outgoing
traffic. traceroute works by causing systems to generate
ICMP TIME EXCEEDED. You really don't want to block that
going out.
Traceroute really is not bad, nor is ping. Both are useful
diagnostic tools.
What was bad was "directed broadcasts". This used to be
done w/ ICMP ECHO requests which then responsed to by all
the systems in the broadcast domain. When this was being
done the only solution was "block ICMP"/"block ICMP ECHO".
Mark
> Thanks,
> Khoi
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org