[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] [Qube2] ICMP IP Filtering
- Subject: Re: [cobalt-users] [Qube2] ICMP IP Filtering
- From: Mike Vanecek <nospam99@xxxxxxxxxxxx>
- Date: Fri Apr 28 21:03:03 2000
- Organization: anonymous
On Fri, 28 Apr 2000 12:49:37 +1200, David Zanetti <david.zanetti@xxxxxxxxxxx>
wrote:
:>I would suggest you probably don't want to drop all ICMP to the Qube2, as
:>that will break various things. The best approach would be to silently drop
:>incomming ICMP packets of the type ICMP_ECHO:
:>
:>ipfwadm -I -a reject -P ICMP -S 0/0 ICMP_ECHO -W <external interface>
:>
:>(Note, this is from memory and it's been a while since I used ipfwadm. If it
:>doesn't accept ICMP_ECHO, try using 8 instead, which is the message number
:>for ICMP_ECHO. -D options are irrelevent.)
If I am reading the man correctly,
-I input rules, -a reject (I need to study this as I thought -a deny would
offer more invisibility), -P ICMP check ICMP packets, -S 0/0 any source
address - default if left off, ICMP_ECHO should be a valid type 8 service
type, -W name of the external interface.
Not exactly sure of the meaning of the -W "name of interface via which a
packet is received?" Is this the DNS name or internal routing name? Would
not the -V IP address serve the same purpose?
:>This will allow:
:>- Normal ICMP packets to reach the Qube2 (eg, for refused connections to
:>remote hosts)
:>- Internal hosts to ping the Qube2
:>- Internal hosts to ping anywhere else
:>- External hosts unable to ping the Qube2
Exactly what I want to accomplish!
:>I strongly recommend the use of -W (or the ipchains equivilent, -i) as it is
:>far more controllable.
Will -V IP address work as well?
Thank you very much. I had not seen that [port ...] is the same as [type...]
in the ipfwadm man until your message. Very helpful. I shall experiment a bit
with it and see how badly it confuses the GUI!