On Fri, 3 Sep 2004 freebsd-security-request@freebsd.org wrote:
> Send freebsd-security mailing list submissions to
> freebsd-security@freebsd.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with subject or body 'help' to
> freebsd-security-request@freebsd.org
>
> You can reach the person managing the list at
> freebsd-security-owner@freebsd.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-security digest..."
>
>
> Today's Topics:
>
> 1. Re: IPFW and icmp (Kevin D. Kinsey, DaleCo, S.P.)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 02 Sep 2004 12:05:26 -0500
> From: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz>
> Subject: Re: IPFW and icmp
> To: Dave <mudman@metafocus.net>
> Cc: freebsd-security@freebsd.org
> Message-ID: <413752D6.4060100@daleco.biz>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Dave wrote:
>
>> I'm not a master of the internet RFCs, but I do believe icmp
messages have
>> different types.
>>
>> Now to enable traceroute for IPFW, I might put in a rule like this:
>>
>> ipfw add pass icmp from any to me
>>
>> However, how would I make a rule to limit icmp messages to just those
used
>> by traceroute? Can the messages be distinguished as such?
>>
>>
>>
>
> I use, thus far, "allow icmp from any to any icmptypes
0,3,4,8,11". That
> include 'echo request', of course. Someone else may have a better
idea.
>
>> A dynamic rule that exists only for the duration of a traceroute
execution
>> would be even better. I take it 'setup' or
'check-state' would follow in
>> that case?
>>
>>
>>
> Seems likely. *sigh* one more manpage to read.... ;-)
>
> Kevin Kinsey
>
> ------------------------------
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
>
> End of freebsd-security Digest, Vol 75, Issue 2
> ***********************************************
>
>
You guys should check out this link here for the ICMP types.
http://www.iana.org/assignments/icmp-parameters might help
you out a little.
This e-mail may be privileged and/or confidential, and the sender
does not waive any related rights and obligations. Any distribution, use
or copying of this e-mail or the information it contains by other than an
intended recipient is unauthorized. If you received this e-mail in error,
please advise me (by return e-mail or otherwise) immediately.