1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
I think we can sum up this entire disccusion as it partains to the |
5 |
original topic of firewalls with a few simple points. |
6 |
|
7 |
You can not Block ICMP, it breaks tcp, its a "controll Message Prococol" |
8 |
for a reason. If you block it, you can not send squelches, routes |
9 |
unreachable, ect. Point being, block ICMP on your local box, you will |
10 |
see a few odd problems, but nothing to devestaing. Block it on a pice of |
11 |
networking hardware, you will $%@#$ up a network. |
12 |
|
13 |
However, what is safe to block is ICMP echo requests (type 5, or type 9 |
14 |
(?) I can't rember specificly), and it is important (and I belive done |
15 |
by default by the kernel [or at least by MY kernel]) to block any |
16 |
response to an ICMP brodcast. To avoid participating in a smurf attack. |
17 |
|
18 |
Secondly, DROP, or REJECT. It dosn't realy matter. Personally, I drop. |
19 |
Since I see no need of sending a reply back, since there is no |
20 |
legitimate reason to connect on this port. And yes, it DOES slow down a |
21 |
person doing a conventional port scan on you. (ie - Someone across the |
22 |
room downloads and runs NMAP on you with the defautls) |
23 |
|
24 |
HOWEVER, if someone is serious about port scanning you, they are going |
25 |
to be parralizing it. Scan half the ports with one sweep. Makes the scan |
26 |
go pretty quick regardless of weather you REJECT or DROP. |
27 |
|
28 |
As I said, personally, my default policy is DROP, as I said above, |
29 |
personally, I see no reason for my computer to respond to yours with any |
30 |
ICMP messages if you are trying to connect on a blocked port. Secondly, |
31 |
DROP is a few cycles faster that REJECT, which can help out a little in |
32 |
a DOS scenario (please no one argue about the speed consiquences of |
33 |
using DROP over reject, I will concide now (pardon my spelling, or lack |
34 |
thereof) it makes no difference unless your doing it on a cisco 8700 |
35 |
series router at the border of a class A network that is over 70% full) |
36 |
|
37 |
However, for almost all users out there, you could change your DROPs to |
38 |
REJECTs and you would be fine. Your not opening up some mysterious hole |
39 |
by doing so, moreover, your not making yourself any less conspicious |
40 |
[spelling, yes i know :p] to the attackers you need to worry about. |
41 |
|
42 |
Now lets all go read the RFC for ICMP and TCP... |
43 |
- -- |
44 |
Stephen Clowater |
45 |
|
46 |
BOFH Excuse #229: |
47 |
|
48 |
wrong polarity of neutron flow |
49 |
|
50 |
The (revised) 3 case c++ function to determine the meaning of life : |
51 |
|
52 |
#include <stdio.h> |
53 |
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\ |
54 |
))?(is_arts_student())? "grep -i 'meaning of life' /dev/null": "grep \ |
55 |
- -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\ |
56 |
'* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\ |
57 |
()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\ |
58 |
if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; } |
59 |
|
60 |
-----BEGIN PGP SIGNATURE----- |
61 |
Version: GnuPG v1.2.4 (GNU/Linux) |
62 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
63 |
|
64 |
iD8DBQE//knwcyHa6bMWAzYRAgbcAJ9mw2lSgCe4zTn0Y1fUsHJi20pFJACgptFi |
65 |
uLIZSO0j5M44I4vnX2kY5HI= |
66 |
=D9vN |
67 |
-----END PGP SIGNATURE----- |
68 |
|
69 |
-- |
70 |
gentoo-security@g.o mailing list |