search for: icmptype

...0 0 ACCEPT udp -- lo * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:3306 > 0 0 NRPE tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:5666 > 0 0 ACCEPT icmp -- * * x.x.x.x 0.0.0.0/0 > icmptype 8 > 0 0 ACCEPT icmp -- * * 127.0.0.1 > 0.0.0.0/0 icmptype 8 > 0 0 ACCEPT icmp -- * * 10.0.3.0/24 > 0.0.0.0/0 icmptype 8 > 0 0 ACCEPT tcp -- * * 10.0.3.0/24 > 0.0.0.0/0 >...

...61 in via bge0 keep-state ## razor ## add 00695 allow tcp from me to any dst-port 2703 out via bge0 setup keep-state ###### ICMP ###### ## Allow out & in console traceroot command ## add 00700 allow udp from me to any 33435-33500 out via bge0 keep-state add 00701 allow log icmp from any to me icmptype 3,11 in via bge0 limit src-addr 2 ## ping out ## add 00710 allow icmp from any to any out via bge0 keep-state ## ping in ## add 00720 allow log icmp from any to me icmptype 0,8 in via bge0 ## This sends a RESET to all ident packets ## add 00730 reset log tcp from any to me 113 in via bge0 limit sr...

Hi, I've been able to get tinc setup when I flush all my iptables, but after enabling iptables and a delay I get a "Destination Net Unknown". I have three host (HOME10.0.3.2, MASTER 10.0.3.1, WEB 10.0.3.3) MASTER and WEB are in Digital ocean in the same data centre. HOME <---> MASTER <---> WEB I've tried multiple forwarding/masquerading/etc rules and

...tcp dpt:3306 0 0 ACCEPT udp -- lo * 0.0.0.0/0 0.0.0.0/0 udp dpt:3306 0 0 NRPE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5666 0 0 ACCEPT icmp -- * * x.x.x.x 0.0.0.0/0 icmptype 8 0 0 ACCEPT icmp -- * * 127.0.0.1 0.0.0.0/0 icmptype 8 0 0 ACCEPT icmp -- * * 10.0.3.0/24 0.0.0.0/0 icmptype 8 0 0 ACCEPT tcp -- * * 10.0.3.0/24 0.0.0.0/0 0 0 ACCEPT udp --...

> I use, thus far, "allow icmp from any to any icmptypes 0,3,4,8,11". That > include 'echo request', of course. Someone else may have a better idea. You want to be pinged? Why don't you let something in and something out? I.e.: add 10000 allow icmp from any to any icmptypes 8 out add 10100 allow icmp from any to any icmptypes 0 in...

...41.9 netbsdhvm.born2b3.net 7 4096 2 -b---- 17.6 opensolarishvm.born2b3.net 3 4096 2 -b---- 179.6 # --- Pings from *centos-hvm* to dom0 interface*no ip-traffic on peth0* # --- root@xen411dom0:/ftp/HVM# tcpdump ''icmp[icmptype] = icmp-echo and icmp[icmptype] != icmp-echoreply'' tcpdump: WARNING: peth0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on peth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 6 packets receive...

Hi peeps, After compiling ipfw into the new 6.2 kernel, and typing "ipfw list", all I get is: "65535 deny ip from any to any" From reading the docs, this might indicate that this is the default rule. (I am certainly protected this way--but can't be very productive ;^) ) By the way, when I run "man ipfw" I get nothing. Using this instead:

...;> # Allow established connections: >> add allow tcp from any to any established >Nope. >> # Deny fragmented packets: >> add deny ip from any to any frag >Nope. >> # Show pings: >> add count icmp from any to any icmptypes 8 in >Nope. >> # Allow pings, ping replies, and host unreach: >> add allow icmp from any to any icmptypes 0,8,3 >Nope. >> # Allow UDP traceroutes: >> add allow udp from any to any 33434-34458 in >> add allow udp from any 3...

Hello everyone, When I try to start firewalld in CentOS-8 it refuses with this in the /var/log/firewalld, any suggestions? 2019-12-11 19:11:25 WARNING: ipset not usable, disabling ipset usage in firewall. 2019-12-11 19:11:25 ERROR: No icmptypes found. 2019-12-11 19:11:25 ERROR: Failed to load nf_conntrack module: modprobe: ERROR: could not find module by name='nf_conntrack' modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (see dmesg) modprobe: ERROR: Error running install co...

...gt;Ethernet interface. What would be more secure? > > > >> > >> # Deny fragmented packets: >> > >> add deny ip from any to any frag > >> > >> # Show pings: >> > >> add count icmp from any to any icmptypes 8 in >> > > >> >>That's inbound ping requests. Don't forget that 'inbound' means > coming >>into the firewall, not necessarily from the outside world. Your own >>ping requests _from_ this box also have to both come in, and go out. > >...

...Ping from XP client to LOC (as default gateway 192.168.1.254) gets error: Request timed out. Shorewall, at the same time generates the following: Mar 5 19:35:52 punisher kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.1.254 DST=192.168.1.48 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=40237 PROTO=ICMPTYPE=0 CODE=0 ID=512 SEQ=256 I feel like this is where my problems is, as it appears that pings from the ''LOC'' network are for some reason being forwarded out of eth0. There is a rule (default included in 3 interface example), ACCEPT Zone Local Firewall ICMP Any 8 Have setup cac...

...-state ${fwcmd} add pass tcp from 192.168.0.0:255.255.255.0 to any setup keep-state ${fwcmd} add pass udp from 192.168.0.0:255.255.255.0 to any keep-state # Deny suspicious packets $fwcmd add deny log tcp from any to any in tcpflags syn,fin # Allow some icmp ${fwcmd} add pass icmp from any to any icmptype 0,3,4,8,11,12 # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ### --> should we deny this ? ${fwcmd} add pass all from any to any frag # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3 ${fwcmd} add pass tcp from...

We're being ping-flooded by the Nachi worm, which probes subnets for systems to attack by sending 92-byte ping packets. Unfortunately, IPFW doesn't seem to have the ability to filter packets by length. Assuming that I stick with IPFW, what's the best way to stem the tide? --Brett Glass

Your output looks like iptables -L -n. Can you add the -v option to check if the rule did handle packages? On 01/26/2017 05:39 PM, Thierry wrote: > ACCEPT tcp -- anywhere anywhere tcp dpt:4711

...Component: softflowd AssignedTo: djm at mindrot.org ReportedBy: bugzilla at nishidaya.org softflowd generates netflow v9 flow record for ICMP6 with dst port == 0, while ICMP (IPv4) case dst port = type *256+code. I know this feature is for CISCO compatibility (and v9 already has ICMPTYPE but CISCO doesn't use it). Since current CISCO routers generate flow record for ICMP6 with the same method (fill dst port with type & code), I'm appreciate if Softflowd do the same. softflowd.c around line 313 may be the place. -- Haru -- Configure bugmail: https://bugzilla.mindrot....

...>> >> ipfw add pass icmp from any to me >> >> However, how would I make a rule to limit icmp messages to just those used >> by traceroute? Can the messages be distinguished as such? >> >> >> > > I use, thus far, "allow icmp from any to any icmptypes 0,3,4,8,11". That > include 'echo request', of course. Someone else may have a better idea. > >> A dynamic rule that exists only for the duration of a traceroute execution >> would be even better. I take it 'setup' or 'check-state' would follow in...

...000 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.tcp.inflight_enable=1 and loader.conf accf_http_load="YES" kern.ipc.nmbclusters=32768 net.inet.tcp.tcbhashsize=4096 kern.ipc.maxsockets=131072 ipfw: 00200 allow tcp from any to me 80 setup 00200 allow icmp from any to me icmptype 0,3,8,11 00200 deny log ip from any to me ifconfig: bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=3<RXCSUM,TXCSUM> inet 1.2.3.4 netmask 0xfffffff8 broadcast 5.6.7.8 ether 00:06:5b:f7:c8:7b media: Ethernet autoselect (1000baseTX <full-duplex>) A...

Hi there, Is there some way to configure ipfw to do traffic normalizing ("scrubbing", as in ipf for OpenBSD)? Is there any tool to do it for FreeBSD firewalling? I've heard that ipf was ported on current, anything else? TIA, /Dorin. __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools

Hi, I have a router running BGP and OSPF (bird) on FreeBSD. Are there any best practises one can take in order to protect the network from DDoS attacks. I know this isn't easy. But I would like to secure my network as much as possible. Even if I'am not able to prevent or block a ddos I would like to get some info (snmp trap parhaps) regarding the attack. Then I can contact my ISP or

...ts: icmp-blocks: rich rules: [root at biz103 ~]# ls -l /etc/firewalld total 28 -rw-r--r-- 1 root root 187 Jul 14 06:55 direct.xml -rw------- 1 root root 1028 Jul 14 08:05 firewalld.conf -rw-r----- 1 root root 1026 Mar 5 2015 firewalld.conf.old drwxr-x---. 2 root root 4096 Mar 5 2015 icmptypes -rw-r-----. 1 root root 271 Mar 5 2015 lockdown-whitelist.xml drwxr-x---. 2 root root 4096 Mar 5 2015 services drwxr-x---. 2 root root 4096 Jul 14 07:40 zones [root at biz103 ~]# ls -l /etc/firewalld/zones total 12 -rw-r--r-- 1 root root 356 Jul 14 07:40 external.xml -rw-r--r-- 1 root root...