| 1 |
On Sunday 08 September 2002 13:49, Hanus Adler wrote: |
| 2 |
> you're mixing up icmp and ping. ping is not the same as icmp. maybe you |
| 3 |
First of all the ping command uses icmp type 8 and 0 packets. So it's not the |
| 4 |
same but based on it. |
| 5 |
|
| 6 |
> don't really need everyone to be able to ping, but you need at least |
| 7 |
> some icmp for tcp/ip to function correctly. for example you should |
| 8 |
> *never* drop destination-unreachable icmp packets. |
| 9 |
Right. And it is not done in the firewall script in gentoo-security.html. |
| 10 |
|
| 11 |
> recommending people to improve their security by "disabling icmp type 0 |
| 12 |
> in the firewall" is WRONG. |
| 13 |
echo-request and -response (icmp type 8 and 0) are not necessary to run an IP |
| 14 |
network. So you can drop them if you want. If you drop them you are not |
| 15 |
ping-able from outside (not nice but valid), and you can't ping any host on |
| 16 |
the outside (makes it harder to search for error source). |
| 17 |
But as written in the firewall script ping and pong packets can be used to |
| 18 |
send unwanted data through the firewall. If you are such paranoid feel free |
| 19 |
to disable them and live with the consequences. |
| 20 |
|
| 21 |
> you should correct this in |
| 22 |
> http://www.gentoo.org/doc/gentoo-security.html before too many people |
| 23 |
> have misconfigured their firewalls. |
| 24 |
No it's no nice behaivior but not wrong. |
| 25 |
|
| 26 |
Regards |
| 27 |
Nils Ohlmeier |
Archives