Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: Mark Hurst <mark@...>
From: Alexander Schreiber <als@...>
Subject: Re: firewall suggestions?
Date: Fri, 9 Jan 2004 11:40:22 +0100
On Fri, Jan 09, 2004 at 05:36:51PM +1100, Mark Hurst wrote:
> > Probably you think ICMP is dangerous too. There are a lot of brain dead 
> > admins who blocks ICMP packets and they wonder why connections to some 
> > websites are broken or if they administrate the packet filter before a 
> > webserver they wonder why some user grouches they wouldn't get a 
> > connection to the web server.
> 
> Ever heard of Smurf or Loki?
> 
> If you allow all ICMP in you are indeed a brain-dead admin, in my opinion.
> Sure, host unreachable, DF should be allowed in, but why should an
> external host be able to send timestamp or subnet requests?

There are several types of ICMP messages. Some of those you can happily
discard (like timestamp requests) some you should discard (like
redirect) and some you really want to let through (like unreachable).
Others are subject to policy (echo request/reply, although in this case
I suggest letting them pass, but put a rate limit on them to avoid easy
DoS).

Simply dropping all ICMP is stupid and will lead to problems, as ICMP is
an integral part of the IP protocol suite.

Regards,
     Alex.
-- 
"Opportunity is missed by most people because it is dressed in overalls and
 looks like work."                                      -- Thomas A. Edison

--
gentoo-security@g.o mailing list

References:
RE: firewall suggestions?
-- MA
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Mark Hurst
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
RE: firewall suggestions?
Previous by date:
Re: firewall suggestions?
Next by date:
Re: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.