Subject: Re: Is my ipfilter list secure?
To: Richard Grace <rgrace@aapt.com.au>
From: Roger Fischer <roger@aileron.org>
List: netbsd-users
Date: 04/26/2002 08:26:10
Richard, Thanks for the info. I was hesitant to post this question so
I'm glad I didn't get flamed big time.
So I should add:
pass in quick on eth0 proto icmp from any to $myip icmp-type 3
Quick question. Do you know if I can use variables in the config file
(like $myip)? Since it's a config file and not a script, I don't know how
ipf will handle it. And... I'll have to figure out where to define those
variables, perhaps in the /etc/rc.d/ipfilter script.
Thanks,
- Rog
On Fri, 26 Apr 2002, Richard Grace wrote:
> >>> Roger Fischer <roger@aileron.org> 26/04/2002 16:48:45 >>>
>
> > I'm putting together a NetBSD box to replace my linux gateway.
> [...]
> > # Uncomment to allow other to ping/trace us
> > # pass in quick on eth0 proto icmp from any to $myip icmp-type 0 # ping
> > # pass in quick on eth0 proto icmp from any to $myip icmp-type 11 # Traceroute
> > # Otherwise, block all icmp.
> > block in log quick on eth0
>
> You may wish to allow useful ICMP messages back in, which were not
> "solicited" by an outgoing ICMP message (eg, echo request/echo reply)
> such as icmp-type 3 (destination unreachable, including need to frag)
> and icmp-type 11 (time exceeded, in case of circular routes).
>
> Otherwise, it looks pretty good.
>
> Richard Grace
> Unix Systems Administrator
> AAPT Limited
>
>
>