Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Block incoming pings while allowing outgoing pings' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Block incoming pings while allowing outgoing pings
Authored by: molero on Aug 27, '03 05:51:43AM

I'm no expert on this, but one of the rules that Brickhouse writes to the ipfw config file and which you cannot change and always comes before any custom rules says:


#################################################
## Allow All ICMP Packets
#################################################
add 2004 allow icmp from any to any via en0

Wouldn't this allow pinging anyhow? Rules are applied top to bottom.



[ Reply to This | # ]
Block incoming pings while allowing outgoing pings
Authored by: molero on Aug 27, '03 10:21:02AM

Just tried it out - and yes, the default BrickHouse rule indeed allows for pinging your machine, no matter what rules you might add later.
To get it right, you need to remove this line from the ipfw config file:

add 2004 allow icmp from any to any via en0



[ Reply to This | # ]
Block incoming pings while allowing outgoing pings
Authored by: DirrtyDawg on Sep 04, '03 06:49:41PM

The only ICMP types that should be allowed from the Internet are 0 3 11 which are echo reply, destination unreachable and time exceeded. I don't see any reason for anyone pinging me since I don't provide any services to the world. Allowing type 8 which is echo request CAN be a security hole, but needn't. I'm a Mac newbie so forgive me about my stupidity. I come from the Linux world and my stateful firewall can also limit access to a certain number/minute or hour or what ever you prefer. This would minimize the problem of getting pod or something. I believe ipfw is a good packet level firewall which can also do such things.

To explain the stateful thing: tcp packets contain a state which indicates what the data wants to do. For example if it is related to another packet sent earlier then it would have a related state. Since icmp is a different layer 4 protocol it doesn't have states in it. If you send a echo request you get a echo reply which doesn't have any flags like syn or ack. ICMP is actually just for testing connections so it doesn't need all the stuff.

If someone wants to get a small introduction into firewalling theory just write an email.



[ Reply to This | # ]