I'm not sure if you two are bored, or what the problem is. Let me
re-iterate the last two lines of my original message.

"Is there any reason in particular, that ALL icmp traffic is denied by
default, except for using the 'open' ruleset?
Or is this just a simple oversight, that needs to be examined?"

I'm ASKING if it was an oversight that the DEFAULT policies (other than
'open') are denying ICMP. As it is typically agreed that some ICMP types
are beneficial.
I know damn well how a firewall works. I also know how to modify it for MY
needs. (You might have noticed in my original post, that I said I use a
modified simple ruleset, ICMP's is just one of the modifications..) I'm
not asking why it blocks ICMP's due to a lack of knowledge about how packet
filtering works. I'm asking why the default firewall blocks beneficial
ICMP's due to the fact that some people hear "install a firewall, install
a firewall" and don't know the first thing about it. Chances are high
that they are using these default rules, which block ICMP's.

I've monitored this list for quite some time.
I'd rather this thread not be turned into the circus that you two seem to
enjoy.

It's a legit concern, and I'd rather it be addressed publicly.

----- Original Message -----
From: "Ralph Huntington" <rjhmohawk.net>
To: "Jeff Palmer" <scorpiodrkshdw.org>
Cc: "Dag-Erling Smorgrav" <desofug.org>; <freebsd-securityFreeBSD.ORG>
Sent: Sunday, February 24, 2002 10:43 AM
Subject: Re: Couple of concerns with default rc.firewall

> Maybe I'm missing the point, but doesn't "deny ip from any to any" (which
> is the last rule in a block-all-by-default firewall) doesn't that mean to
> block everything, meaning everything? Nothing would be allowed, not any
> icmp of any type or anything else. In order to allow anything in
> particular, that would have to be explicitly enabled in a prior (ipfw)
> rule, is that not correct?
>
>
> On Sun, 24 Feb 2002, Jeff Palmer wrote:
>
> > DES,
> >
> > Maybe you fail to see my point. I was wondering if there was a reason
the
> > FreeBSD team has decided not to allow certain ICMP's by default.
> > I'm perfectly aware of how to change the rules to do what I want. I was
> > asking if there was a reason for this decision, or if it was an
oversight.
> >
> >
> > ----- Original Message -----
> > From: "Dag-Erling Smorgrav" <desofug.org>
> > To: "Jeff Palmer" <scorpiodrkshdw.org>
> > Cc: <freebsd-securityFreeBSD.ORG>
> > Sent: Sunday, February 24, 2002 7:16 AM
> > Subject: Re: Couple of concerns with default rc.firewall
> >
> >
> > > "Jeff Palmer" <scorpiodrkshdw.org> writes:
> > > > Is there any reason in particular, that ALL icmp traffic is denied
> > > > by default, except for using the 'open' ruleset?
> > >
> > > The default rule #65535 is "deny ip from any to any". Wouldn't you be
> > > surprised if this *didn't* block all ICMP packets?
> > >
> > > Just add the following early on in your firewall ruleset:
> > >
> > > allow icmp from any to any icmptype 0,3,8,11
> > >
> > > preferably *after* any anti-spoofing rules.
> > >
> > > DES
> > > --
> > > Dag-Erling Smorgrav - desofug.org
> > >
> >
> >
> > To Unsubscribe: send mail to majordomoFreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
>
>
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]