[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] [Qube2] ICMP IP Filtering

Subject: Re: [cobalt-users] [Qube2] ICMP IP Filtering
From: Mike Vanecek <nospam99@xxxxxxxxxxxx>
Date: Mon May 1 14:27:00 2000
Organization: anonymous

On Sun, 30 Apr 2000 21:50:28 -0400 (EDT), Gordon
<root@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

:>
:>On Sun, 30 Apr 2000, Mike Vanecek wrote:
:>> but allows all stations and the server to ping out. Of course, it does not
:>> show up in the GUI IP filter rule list which may explain why the Cobalt
:>> Customer Service rep did not to give me instructions or advice on how to do
:>> it. Maybe Cobalt needs to improve the GUI IP Filter list to include ICMP
:>
:>Wll, you would think you could set port numbers -/, but the qube isn't
:>really sold as a general purpose router....still hard to beat a nice cisco
:>(sorry cobalt -)

Actually one can set port numbers, just not icmp type numbers. I would think
the GUI (which is just doing a ipfwadm command) would work the same so that
it is a port number if one is doing a tcp or udp setting and an icmp type is
one is doing a icmp setting. 

Not trying to do general purpose routing, just trying to do a little simple
minded firewall setting which is included with the Qube2. I understand that I
could buy and install a hardware firewall, but I am trying to get as much
risk protection as is possible with the Qube2 setup. What I have setup now is
far from perfect, but it does close down a ton of stuff that not having the
filters turned on would allow.

:>Now that you can't ping it, how about other things like 'port unreachable'
:>messages so you can't traceroute? 

The same setting I posted will also give port unreachable if you try to
traceroute the Qube2. I may need to block some other icmp types, but am
rather new at this and do not know which other ones I should block.

:>Actully, why did you want to make it unpingable? being unpingable in and
:>of itself is kinda overrated as a security measure...

Yes, but it is better than nothing. Besides, it was a great <grin> learning
experience. If someone is randomly pinging or tracerouting ip addresses, mine
will not show up as being turned on.  Should I be blocking other icmp types?

:>ipfwadm is probably the most cryptic utility around, really, the
:>documentation assumes that you know an awfull lot about the gory details
:>of how tcp works, probably more than necessary, and the rather large
:>number of combinations possible between interfaces/addresses/protocol
:>types/ports etc doesn't exactlly help...

It has been a rather steep learning curve and I am still at the very bottom.

Mike.

References:
- Re: [cobalt-users] [Qube2] ICMP IP Filtering
  - From: Mike Vanecek
- Re: [cobalt-users] [Qube2] ICMP IP Filtering
  - From: Gordon

Prev by Date: RE: [cobalt-users] Enabling DHCP on the Secondary Port of the Qub e2
Next by Date: RE: [cobalt-users] [RAQ3] Majordomo query
Previous by thread: Re: [cobalt-users] [Qube2] ICMP IP Filtering
Next by thread: RE: [cobalt-users] [Qube2] ICMP IP Filtering

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index