1 |
`man iptables` and the iptables programmers think that icmp-port-unreachable is |
2 |
an acceptable response. You can set your own. |
3 |
|
4 |
quoth `man iptables`: |
5 |
> which return the appropriate ICMP error message |
6 |
> (port-unreachable is the default). |
7 |
|
8 |
As for which ICMPs to block, I took this from: |
9 |
|
10 |
http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12 |
11 |
|
12 |
Troy |
13 |
|
14 |
Chris K Ellsworth wrote: |
15 |
> So then are these the good ICMP's that should be allowed and all others be |
16 |
> killed for "good" firewall admin practices? |
17 |
> |
18 |
> ----- Original Message ----- |
19 |
> From: "Frank Gruellich" <frank@××××××××××××.org> |
20 |
> To: <gentoo-security@l.g.o> |
21 |
> Sent: Thursday, January 08, 2004 8:55 AM |
22 |
> Subject: Re: [gentoo-security] firewall suggestions? |
23 |
> |
24 |
> |
25 |
> |
26 |
>>* Troy Farrell <troy@×××××××××××.com> 8. Jan 04 |
27 |
>> |
28 |
>>># iptables -L allow-icmp-traffic |
29 |
>> |
30 |
>>[output fixed] |
31 |
>> |
32 |
>> |
33 |
>>>Chain allow-icmp-traffic (2 references) |
34 |
>>>target prot opt source destination |
35 |
>>>ACCEPT icmp -- anywhere anywhere icmp |
36 |
> |
37 |
> time-exceeded limit: avg 10/sec burst 5 |
38 |
> |
39 |
>>>ACCEPT icmp -- anywhere anywhere icmp |
40 |
> |
41 |
> destination-unreachable limit: avg 10/sec burst 5 |
42 |
> |
43 |
>>>ACCEPT icmp -- anywhere anywhere icmp |
44 |
> |
45 |
> source-quench limit: avg 10/sec burst 5 |
46 |
> |
47 |
>>>ACCEPT icmp -- anywhere anywhere icmp |
48 |
> |
49 |
> echo-request limit: avg 5/sec burst 5 |
50 |
> |
51 |
>>>ACCEPT icmp -- anywhere anywhere icmp |
52 |
> |
53 |
> echo-reply limit: avg 5/sec burst 5 |
54 |
> |
55 |
>>>LOG icmp -- anywhere anywhere LOG level |
56 |
> |
57 |
> warning prefix `Bad ICMP traffic:' |
58 |
> |
59 |
>>>REJECT icmp -- anywhere anywhere |
60 |
>> |
61 |
>>The default answer of REJECT ist port unreachable. I always wondered, |
62 |
>>if this is a good way to answer to a question in a protocol with no |
63 |
>>ports. Shouldn't you answer with ICMP protocol unreachable maybe? |
64 |
>> |
65 |
>> Regards, Frank. |
66 |
>>-- |
67 |
>>Sigmentation fault |
68 |
>> |
69 |
>>-- |
70 |
>>gentoo-security@g.o mailing list |
71 |
>> |
72 |
>> |
73 |
>> |
74 |
> |
75 |
> |
76 |
> |
77 |
> -- |
78 |
> gentoo-security@g.o mailing list |
79 |
> |
80 |
|
81 |
|
82 |
-- |
83 |
And the glory of the LORD shall be revealed, and all flesh shall see it |
84 |
together: for the mouth of the LORD hath spoken it. |
85 |
Isaiah 40.5 |
86 |
|
87 |
|
88 |
-- |
89 |
gentoo-security@g.o mailing list |