Gentoo Archives: gentoo-security

From: Troy Farrell <troy@×××××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 19:52:48
Message-Id: 3FFDB063.3080804@entheossoft.com
In Reply to: Re: [gentoo-security] firewall suggestions? by Chris K Ellsworth
`man iptables` and the iptables programmers think that icmp-port-unreachable is 
an acceptable response.  You can set your own.

quoth `man iptables`:
 > which return  the  appropriate  ICMP  error message
 > (port-unreachable is the default).

As for which ICMPs to block, I took this from:

http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12

Troy

Chris K Ellsworth wrote:
> So then are these the good ICMP's that should be allowed and all others be > killed for "good" firewall admin practices? > > ----- Original Message ----- > From: "Frank Gruellich" <frank@××××××××××××.org> > To: <gentoo-security@l.g.o> > Sent: Thursday, January 08, 2004 8:55 AM > Subject: Re: [gentoo-security] firewall suggestions? > > > >>* Troy Farrell <troy@×××××××××××.com> 8. Jan 04 >> >>># iptables -L allow-icmp-traffic >> >>[output fixed] >> >> >>>Chain allow-icmp-traffic (2 references) >>>target prot opt source destination >>>ACCEPT icmp -- anywhere anywhere icmp > > time-exceeded limit: avg 10/sec burst 5 > >>>ACCEPT icmp -- anywhere anywhere icmp > > destination-unreachable limit: avg 10/sec burst 5 > >>>ACCEPT icmp -- anywhere anywhere icmp > > source-quench limit: avg 10/sec burst 5 > >>>ACCEPT icmp -- anywhere anywhere icmp > > echo-request limit: avg 5/sec burst 5 > >>>ACCEPT icmp -- anywhere anywhere icmp > > echo-reply limit: avg 5/sec burst 5 > >>>LOG icmp -- anywhere anywhere LOG level > > warning prefix `Bad ICMP traffic:' > >>>REJECT icmp -- anywhere anywhere >> >>The default answer of REJECT ist port unreachable. I always wondered, >>if this is a good way to answer to a question in a protocol with no >>ports. Shouldn't you answer with ICMP protocol unreachable maybe? >> >> Regards, Frank. >>-- >>Sigmentation fault >> >>-- >>gentoo-security@g.o mailing list >> >> >> > > > > -- > gentoo-security@g.o mailing list >
-- And the glory of the LORD shall be revealed, and all flesh shall see it together: for the mouth of the LORD hath spoken it. Isaiah 40.5 -- gentoo-security@g.o mailing list