Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "Paul S." <snafu@...>
Subject: Re: firewall suggestions?
Date: Sun, 11 Jan 2004 09:17:17 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Clowater wrote:

| You can not Block ICMP, it breaks tcp, its a "controll Message Prococol"
| for a reason. If you block it, you can not send squelches, routes
| unreachable, ect. Point being, block ICMP on your local box, you will
| see a few odd problems, but nothing to devestaing. Block it on a pice of
| networking hardware, you will $%@#$ up a network.

Without attempting to make the thread any longer, the problem with the
above logic is that it assumes that the 'firewall' system is not working
with 'related' packets. You can drop all the ICMP traffic you want, the
required ICMP packets will still get out (and in) so long as the
'firewall' system keeps track of 'related sessions'. If an ICMP packet
needs to get in and it's related to a current session, the firewall will
let it in. If it's unrelated, it's dropped (of course).

And that's the whole purpose of ip_conntrack. Any decent 'firewalling'
script will implement this. Of course, I've been using Seawall (2.2) and
Shorewall (2.4+) for years now without a glitch on personal and
corporate/production 'firewalls' and routers.

Try:
"Keeping track of packets: The state match"
http://www.linux-mag.com/2000-01/bestdefense_03.html
(part of)
"BEST DEFENSE: Network Security With Linux 2.4"
http://www.linux-mag.com/2000-01/bestdefense_01.html

modprobe ip_conntrack
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Regards,
Paul <snafu@...>

BLOG: http://forkbomb.dhs.org/bs/
GPG Key: http://forkbomb.dhs.org/bs/snafu.asc
- ---
Life would be so much easier if we could just look at the source code.
~        -- Dave Olson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAAVrtNQvzkbg+TpsRAutAAJ40Bk+FwG5UZoXW95d8SXmnHZ/ljACeNzWE
usrHkixM2uPsL1D5Zbie0nE=
=HlVb
-----END PGP SIGNATURE-----

--
gentoo-security@g.o mailing list

Replies:
Re: firewall suggestions?
-- Stephen Clowater
References:
Re: firewall suggestions?
-- Stephen Clowater
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: firewall suggestions?
Next by thread:
Re: firewall suggestions?
Previous by date:
Re: grSecurity Information
Next by date:
Re: firewall suggestions?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.