Re: [gentoo-security] firewall suggestions? - gentoo-security

From:	Troy Farrell <troy@×××××××××××.com>
To:	gentoo-security@l.g.o
Subject:	Re: [gentoo-security] firewall suggestions?
Date:	Thu, 08 Jan 2004 19:52:48
Message-Id:	`3FFDB063.3080804@entheossoft.com`
In Reply to:	Re: [gentoo-security] firewall suggestions? by Chris K Ellsworth

1

`man iptables` and the iptables programmers think that icmp-port-unreachable is 

2

an acceptable response.  You can set your own.

3

4

quoth `man iptables`:

5

 > which return  the  appropriate  ICMP  error message

6

 > (port-unreachable is the default).

7

8

As for which ICMPs to block, I took this from:

9

10

http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12

11

12

Troy

13

14

Chris K Ellsworth wrote:

15

> So then are these the good ICMP's that should be allowed and all others be

16

> killed for "good" firewall admin practices?

17

>

18

> ----- Original Message -----

19

> From: "Frank Gruellich" <frank@××××××××××××.org>

20

> To: <gentoo-security@l.g.o>

21

> Sent: Thursday, January 08, 2004 8:55 AM

22

> Subject: Re: [gentoo-security] firewall suggestions?

23

>

24

>

25

>

26

>>* Troy Farrell <troy@×××××××××××.com>  8. Jan 04

27

>>

28

>>># iptables -L allow-icmp-traffic

29

>>

30

>>[output fixed]

31

>>

32

>>

33

>>>Chain allow-icmp-traffic (2 references)

34

>>>target     prot opt source               destination

35

>>>ACCEPT     icmp --  anywhere             anywhere           icmp

36

>

37

> time-exceeded limit: avg 10/sec burst 5

38

>

39

>>>ACCEPT     icmp --  anywhere             anywhere           icmp

40

>

41

> destination-unreachable limit: avg 10/sec burst 5

42

>

43

>>>ACCEPT     icmp --  anywhere             anywhere           icmp

44

>

45

> source-quench limit: avg 10/sec burst 5

46

>

47

>>>ACCEPT     icmp --  anywhere             anywhere           icmp

48

>

49

> echo-request limit: avg 5/sec burst 5

50

>

51

>>>ACCEPT     icmp --  anywhere             anywhere           icmp

52

>

53

> echo-reply limit: avg 5/sec burst 5

54

>

55

>>>LOG        icmp --  anywhere             anywhere           LOG level

56

>

57

> warning prefix `Bad ICMP traffic:'

58

>

59

>>>REJECT     icmp --  anywhere             anywhere

60

>>

61

>>The default answer of REJECT ist port unreachable.  I always wondered,

62

>>if this is a good way to answer to a question in a protocol with no

63

>>ports.  Shouldn't you answer with ICMP protocol unreachable maybe?

64

>>

65

>> Regards, Frank.

66

>>--

67

>>Sigmentation fault

68

>>

69

>>--

70

>>gentoo-security@g.o mailing list

71

>>

72

>>

73

>>

74

>

75

>

76

>

77

> --

78

> gentoo-security@g.o mailing list

79

>

80

81

82

--

83

And the glory of the LORD shall be revealed, and all flesh shall see it 

84

together: for the mouth of the LORD hath spoken it.

85

Isaiah 40.5

86

87

88

--

89

gentoo-security@g.o mailing list

1	`man iptables` and the iptables programmers think that icmp-port-unreachable is
2	an acceptable response. You can set your own.
3
4	quoth `man iptables`:
5	> which return the appropriate ICMP error message
6	> (port-unreachable is the default).
7
8	As for which ICMPs to block, I took this from:
9
10	http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12
11
12	Troy
13
14	Chris K Ellsworth wrote:
15	> So then are these the good ICMP's that should be allowed and all others be
16	> killed for "good" firewall admin practices?
17	>
18	> ----- Original Message -----
19	> From: "Frank Gruellich" <frank@××××××××××××.org>
20	> To: <gentoo-security@l.g.o>
21	> Sent: Thursday, January 08, 2004 8:55 AM
22	> Subject: Re: [gentoo-security] firewall suggestions?
23	>
24	>
25	>
26	>>* Troy Farrell <troy@×××××××××××.com> 8. Jan 04
27	>>
28	>>># iptables -L allow-icmp-traffic
29	>>
30	>>[output fixed]
31	>>
32	>>
33	>>>Chain allow-icmp-traffic (2 references)
34	>>>target prot opt source destination
35	>>>ACCEPT icmp -- anywhere anywhere icmp
36	>
37	> time-exceeded limit: avg 10/sec burst 5
38	>
39	>>>ACCEPT icmp -- anywhere anywhere icmp
40	>
41	> destination-unreachable limit: avg 10/sec burst 5
42	>
43	>>>ACCEPT icmp -- anywhere anywhere icmp
44	>
45	> source-quench limit: avg 10/sec burst 5
46	>
47	>>>ACCEPT icmp -- anywhere anywhere icmp
48	>
49	> echo-request limit: avg 5/sec burst 5
50	>
51	>>>ACCEPT icmp -- anywhere anywhere icmp
52	>
53	> echo-reply limit: avg 5/sec burst 5
54	>
55	>>>LOG icmp -- anywhere anywhere LOG level
56	>
57	> warning prefix `Bad ICMP traffic:'
58	>
59	>>>REJECT icmp -- anywhere anywhere
60	>>
61	>>The default answer of REJECT ist port unreachable. I always wondered,
62	>>if this is a good way to answer to a question in a protocol with no
63	>>ports. Shouldn't you answer with ICMP protocol unreachable maybe?
64	>>
65	>> Regards, Frank.
66	>>--
67	>>Sigmentation fault
68	>>
69	>>--
70	>>gentoo-security@g.o mailing list
71	>>
72	>>
73	>>
74	>
75	>
76	>
77	> --
78	> gentoo-security@g.o mailing list
79	>
80
81
82	--
83	And the glory of the LORD shall be revealed, and all flesh shall see it
84	together: for the mouth of the LORD hath spoken it.
85	Isaiah 40.5
86
87
88	--
89	gentoo-security@g.o mailing list

Gentoo Archives: gentoo-security