Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Troy Farrell <troy@...>
Subject: Re: firewall suggestions?
Date: Thu, 08 Jan 2004 13:32:51 -0600
`man iptables` and the iptables programmers think that icmp-port-unreachable is 
an acceptable response.  You can set your own.

quoth `man iptables`:
 > which return  the  appropriate  ICMP  error message
 > (port-unreachable is the default).

As for which ICMPs to block, I took this from:

http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12

Troy

Chris K Ellsworth wrote:
> So then are these the good ICMP's that should be allowed and all others be
> killed for "good" firewall admin practices?
> 
> ----- Original Message ----- 
> From: "Frank Gruellich" <frank@...>
> To: <gentoo-security@g.o>
> Sent: Thursday, January 08, 2004 8:55 AM
> Subject: Re: [gentoo-security] firewall suggestions?
> 
> 
> 
>>* Troy Farrell <troy@...>  8. Jan 04
>>
>>># iptables -L allow-icmp-traffic
>>
>>[output fixed]
>>
>>
>>>Chain allow-icmp-traffic (2 references)
>>>target     prot opt source               destination
>>>ACCEPT     icmp --  anywhere             anywhere           icmp
> 
> time-exceeded limit: avg 10/sec burst 5
> 
>>>ACCEPT     icmp --  anywhere             anywhere           icmp
> 
> destination-unreachable limit: avg 10/sec burst 5
> 
>>>ACCEPT     icmp --  anywhere             anywhere           icmp
> 
> source-quench limit: avg 10/sec burst 5
> 
>>>ACCEPT     icmp --  anywhere             anywhere           icmp
> 
> echo-request limit: avg 5/sec burst 5
> 
>>>ACCEPT     icmp --  anywhere             anywhere           icmp
> 
> echo-reply limit: avg 5/sec burst 5
> 
>>>LOG        icmp --  anywhere             anywhere           LOG level
> 
> warning prefix `Bad ICMP traffic:'
> 
>>>REJECT     icmp --  anywhere             anywhere
>>
>>The default answer of REJECT ist port unreachable.  I always wondered,
>>if this is a good way to answer to a question in a protocol with no
>>ports.  Shouldn't you answer with ICMP protocol unreachable maybe?
>>
>> Regards, Frank.
>>-- 
>>Sigmentation fault
>>
>>--
>>gentoo-security@g.o mailing list
>>
>>
>>
> 
> 
> 
> --
> gentoo-security@g.o mailing list
> 


-- 
And the glory of the LORD shall be revealed, and all flesh shall see it 
together: for the mouth of the LORD hath spoken it.
Isaiah 40.5


--
gentoo-security@g.o mailing list

References:
RE: firewall suggestions?
-- MA
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Ryan Voots
Re: firewall suggestions?
-- Troy Farrell
Re: firewall suggestions?
-- Frank Gruellich
Re: firewall suggestions?
-- Chris K Ellsworth
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.