[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] [Qube2] ICMP IP Filtering
- Subject: RE: [cobalt-users] [Qube2] ICMP IP Filtering
- From: David Zanetti <david.zanetti@xxxxxxxxxxx>
- Date: Thu Apr 27 17:49:38 2000
On Friday, April 28, 2000 11:09 AM, Mike Vanecek wrote:
> I have used the Qube2 GUI to setup my IP rules (a copy of
> which is posted at the end). Before I contact Professional
> Support Services for a quote, I thought I would ask the
> group again whether they have any ideas as to how to
> do what I want to do (ping from the intranet to the internet,
> but not allow the internet to ping the Qube2 - I am able to
> do one or the other, but not both at the same time)?
I would suggest you probably don't want to drop all ICMP to the Qube2, as
that will break various things. The best approach would be to silently drop
incomming ICMP packets of the type ICMP_ECHO:
ipfwadm -I -a reject -P ICMP -S 0/0 ICMP_ECHO -W <external interface>
(Note, this is from memory and it's been a while since I used ipfwadm. If it
doesn't accept ICMP_ECHO, try using 8 instead, which is the message number
for ICMP_ECHO. -D options are irrelevent.)
This will allow:
- Normal ICMP packets to reach the Qube2 (eg, for refused connections to
remote hosts)
- Internal hosts to ping the Qube2
- Internal hosts to ping anywhere else
- External hosts unable to ping the Qube2
I strongly recommend the use of -W (or the ipchains equivilent, -i) as it is
far more controllable.
--
David Zanetti, Unix System Administrator and Postmaster
Wellington City Council, New Zealand. Phone +64-4-801-3354
The light at the end of the tunnel is a train heading for you