List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
-----BEGIN PGP SIGNED MESSAGE-----
Stephen Clowater wrote:
| You can not Block ICMP, it breaks tcp, its a "controll Message Prococol"
| for a reason. If you block it, you can not send squelches, routes
| unreachable, ect. Point being, block ICMP on your local box, you will
| see a few odd problems, but nothing to devestaing. Block it on a pice of
| networking hardware, you will $%@#$ up a network.
Without attempting to make the thread any longer, the problem with the
above logic is that it assumes that the 'firewall' system is not working
with 'related' packets. You can drop all the ICMP traffic you want, the
required ICMP packets will still get out (and in) so long as the
'firewall' system keeps track of 'related sessions'. If an ICMP packet
needs to get in and it's related to a current session, the firewall will
let it in. If it's unrelated, it's dropped (of course).
And that's the whole purpose of ip_conntrack. Any decent 'firewalling'
script will implement this. Of course, I've been using Seawall (2.2) and
Shorewall (2.4+) for years now without a glitch on personal and
corporate/production 'firewalls' and routers.
"Keeping track of packets: The state match"
"BEST DEFENSE: Network Security With Linux 2.4"
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
GPG Key: http://forkbomb.dhs.org/bs/snafu.asc
Life would be so much easier if we could just look at the source code.
~ -- Dave Olson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
firstname.lastname@example.org mailing list