RE: [cobalt-users] [Qube2] ICMP IP Filtering

[David Zanetti <david.zanetti@xxxxxxxxxxx>]

On Saturday, April 29, 2000 4:05 PM, Mike Vanecek wrote:
> On Fri, 28 Apr 2000 12:49:37 +1200, David Zanetti 
> <david.zanetti@xxxxxxxxxxx>
> wrote:
> 
> :>I would suggest you probably don't want to drop all ICMP to the Qube2,
as
> :>that will break various things. The best approach would be to silently
drop
> :>incomming ICMP packets of the type ICMP_ECHO:
> :>
> :>ipfwadm -I -a reject -P ICMP -S 0/0 ICMP_ECHO -W <external interface> 
> :>
> 
> If I am reading the man correctly,
> 
> -I input rules, -a reject (I need to study this as I thought -a deny would
> offer more invisibility),

I believe when filtering ICMP packets deny and reject are the same. At
least, it's true for ipchains (2.2.x kernel), which is what I use most of
the time now. 

> -S 0/0 any source address - default if left off

Not quite, you need the -S specification to be able to specify the port
(message in icmp) number. The -S option takes the form: -S address[/mask]
[port-spec]

> -W name of the external interface.
> 
> Not exactly sure of the meaning of the -W  "name of interface via which a
> packet is received?"  Is this the DNS name or internal routing name? Would
> not the -V IP address serve the same purpose?

-W expects the name of the interface, ie eth0, eth1, lo, ppp0.. etc. I
personally find it more convienent to specify by interface, than the IP
address loaded on that interface, which is what -V does. -W doesn't care
what the DNS name or IP address is, just cares what the interface name from
the kernel's perspective is. 

> :>I strongly recommend the use of -W (or the ipchains equivilent, -i) as
it is
> :>far more controllable. 
> 
> Will -V IP address work as well?

Yup.
 
-- 
David Zanetti, Unix System Administrator and Postmaster
Wellington City Council, New Zealand. Phone +64-4-801-3354
The light at the end of the tunnel is a train heading for you