Best way to filter "Nachi pings"?
Peter Pentchev
roam at ringlet.net
Mon Oct 27 03:43:15 PST 2003
On Mon, Oct 27, 2003 at 03:12:48AM -0800, Jason Stone wrote:
[snip]
> > > > Filtering packets by length on the other hand is a very nice feature
> > > > to have.
>
> > > As it happens, ipfw[2] does this anyway.
>
> Yes, ipfw2 (ie, on fbsd-5 boxes) has an "iplen" option that you can put in
> the body of your rule. From the manpage:
>
> iplen len
> Matches IP packets whose total length, including header and
> data, is len bytes.
>
> However, this isn't going to help most people with 4.x systems, so their
> best option is probably still to block all pings.
Actually, ipfw2 has been backported to -STABLE for quite a while, and
the iplen keyword has been present in -STABLE's src/sbin/ipfw/ipfw2.c
ever since ipfw2 was MFC'd (about July 2002). You may want to take a
look at the ipfw(8) manual page, and specifically (as recommended at the
top of the manpage) the 'USING IPFW2 IN FreeBSD-STABLE' section to see
how you can actually use ipfw2 and 'iplen' in -STABLE :)
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at sbnd.net roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
If there were no counterfactuals, this sentence would not have been paradoxical.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20031027/0f821dbb/attachment.bin
More information about the freebsd-security
mailing list