1 |
On Sunday 08 September 2002 13:49, Hanus Adler wrote: |
2 |
> you're mixing up icmp and ping. ping is not the same as icmp. maybe you |
3 |
First of all the ping command uses icmp type 8 and 0 packets. So it's not the |
4 |
same but based on it. |
5 |
|
6 |
> don't really need everyone to be able to ping, but you need at least |
7 |
> some icmp for tcp/ip to function correctly. for example you should |
8 |
> *never* drop destination-unreachable icmp packets. |
9 |
Right. And it is not done in the firewall script in gentoo-security.html. |
10 |
|
11 |
> recommending people to improve their security by "disabling icmp type 0 |
12 |
> in the firewall" is WRONG. |
13 |
echo-request and -response (icmp type 8 and 0) are not necessary to run an IP |
14 |
network. So you can drop them if you want. If you drop them you are not |
15 |
ping-able from outside (not nice but valid), and you can't ping any host on |
16 |
the outside (makes it harder to search for error source). |
17 |
But as written in the firewall script ping and pong packets can be used to |
18 |
send unwanted data through the firewall. If you are such paranoid feel free |
19 |
to disable them and live with the consequences. |
20 |
|
21 |
> you should correct this in |
22 |
> http://www.gentoo.org/doc/gentoo-security.html before too many people |
23 |
> have misconfigured their firewalls. |
24 |
No it's no nice behaivior but not wrong. |
25 |
|
26 |
Regards |
27 |
Nils Ohlmeier |