From shipley@dipshit.dis.org  Sat Jan 30 00:08:24 1999
Received: from dipshit.dis.org (dipshit.dis.org [206.14.78.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA28334
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 30 Jan 1999 00:08:23 -0800 (PST)
          (envelope-from shipley@dipshit.dis.org)
Received: (from root@localhost)
	by dipshit.dis.org (8.9.1/8.9.1) id AAA01151;
	Sat, 30 Jan 1999 00:09:07 -0800 (PST)
	(envelope-from shipley)
Message-Id: <199901300809.AAA01151@dipshit.dis.org>
Date: Sat, 30 Jan 1999 00:09:07 -0800 (PST)
From: shipley@dis.org
Reply-To: shipley@dis.org
To: FreeBSD-gnats-submit@freebsd.org
Cc: shipley@dis.org, cyber@dis.org
Subject: enhancement for netinet/ip_icmp.c to control ping responses
X-Send-Pr-Version: 3.2

>Number:         9791
>Category:       kern
>Synopsis:       enhancement for netinet/ip_icmp.c to control ping responses
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 30 00:20:00 PST 1999
>Closed-Date:    Mon Aug 6 01:35:58 PDT 2001
>Last-Modified:  Mon Aug 06 01:36:41 PDT 2001
>Originator:     Peter Shipley
>Release:        FreeBSD 3.0-RELEASE i386
>Organization:
KPMG
>Environment:

	Network based FreeBSD systems with security concerns

>Description:

	These are patches to FreeBSD 3.0-RELEASE to add an option
	(satable via sysctl) to disallow pings (ICMP_ECHO) to all
	systems or restrict just to hosts in the local network.

	This can be set by modifying net.inet.icmp.icmpechosecurity
	with sysctl;

	   0 = normal operation
	   1 = reply to localnet pings
	   2 = ignore everyone 

	That is, if net.inet.icmp.icmpechosecurity is set to 0 (default)
	the system will respond to pings in a normal manner

	If net.inet.icmp.icmpechosecurity=1 the system will respond to
	pings originating from the localnet (as defined by the systems
	ipaddress and netmask).

	If net.inet.icmp.icmpechosecurity=2 the system will ignore all pings

	The reason for this is to enhance security on the system
	
	(I have written a user level program (pingd) that I will
	release to the ports collection in a week or so that will
	handle pings for local system as well a "proxy" them for
	system behind a firewall.  This enhancement will be required
	for this system to function optimally)


>How-To-Repeat:

	

>Fix:
	


*** netinet/ip_icmp.c.orig	Fri Jan 29 03:29:29 1999
--- netinet/ip_icmp.c	Fri Jan 29 19:20:20 1999
***************
*** 73,78 ****
--- 73,96 ----
  SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho,
  	   0, "");
  
+ /*
+  *	0 = normally operation
+  *	1 = reply to localnet pings
+  *	2 = ignore everyone 
+  *	
+  *	negative values are considered 0
+  *	values greater then 2 are evaluated as 2
+  *
+  *	In theory this may be better done as a bitmask then merged
+  *	with icmpbmcastecho but I did not want to break things
+  *	<shipley@dis.org>
+  */
+ 
+ static int	icmpechosecurity = 0;
+ SYSCTL_INT(_net_inet_icmp, OID_AUTO, icmpechosecurity, CTLFLAG_RW,
+ &icmpechosecurity, 0, "");
+ 
+ 
  #ifdef ICMPPRINTFS
  int	icmpprintfs = 0;
  #endif
***************
*** 379,384 ****
--- 397,423 ----
  			icmpstat.icps_bmcastecho++;
  			break;
  		}
+ 
+ 		if ( icmpechosecurity >= 2 ) {
+ 			/* reject all */
+ 			break;
+ 		} else if ( icmpechosecurity == 1 ) {
+ 
+ 		    /* get netmask */
+ 		    ia = (struct in_ifaddr *)ifaof_ifpforaddr(
+ 			(struct sockaddr *)&icmpdst, m->m_pkthdr.rcvif);
+ 		    if (ia == 0 || ia->ia_ifp == 0) {
+ 			break;
+ 		    }
+ 
+ 		    /* test if there src address is on our subnet */
+ 		    if ((ip->ip_src.s_addr & ia->ia_sockmask.sin_addr.s_addr) !=
+ 			(ip->ip_dst.s_addr & ia->ia_sockmask.sin_addr.s_addr)) {
+ 			    break;
+ 		    }
+ 		} /* fall through if reply is OK */
+ 
+ 		/* thus icmpechosecurity <= 0 */
  		icp->icmp_type = ICMP_ECHOREPLY;
  		goto reflect;
  
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: dd 
State-Changed-When: Sat Jun 9 16:25:33 PDT 2001 
State-Changed-Why:  
It's probably better to do this in ping(8) rather than the kernel.  Regardless, 
this change should be discussed prior to being committed. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=9791 

From: Jonathan Chen <jon@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org, shipley@dis.org
Cc:  
Subject: Re: kern/9791: enhancement for netinet/ip_icmp.c to control ping responses
Date: Sun, 5 Aug 2001 05:54:20 -0400

 Is there a reason this should be used instead of ipfw/ipf?  It seems 
 frivolous to use this patch in FreeBSD 4/5.  Filtering ping is really a 
 function of the firewall anyway.  Besides, it doesn't give that much extra 
 security.  I propose we just drop this idea and close the PR.
State-Changed-From-To: suspended->closed 
State-Changed-By: jon 
State-Changed-When: Mon Aug 6 01:35:58 PDT 2001 
State-Changed-Why:  
use ipf/ipfw to control icmp traffic. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=9791 
>Unformatted:
