Gentoo Archives: gentoo-security

From: Alexander Schreiber <als@××××××××××××.de>
To: Mark Hurst <mark@××××××.net>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Fri, 09 Jan 2004 10:51:28
In Reply to: Re: [gentoo-security] firewall suggestions? by Mark Hurst
On Fri, Jan 09, 2004 at 05:36:51PM +1100, Mark Hurst wrote:
> > Probably you think ICMP is dangerous too. There are a lot of brain dead > > admins who blocks ICMP packets and they wonder why connections to some > > websites are broken or if they administrate the packet filter before a > > webserver they wonder why some user grouches they wouldn't get a > > connection to the web server. > > Ever heard of Smurf or Loki? > > If you allow all ICMP in you are indeed a brain-dead admin, in my opinion. > Sure, host unreachable, DF should be allowed in, but why should an > external host be able to send timestamp or subnet requests?
There are several types of ICMP messages. Some of those you can happily discard (like timestamp requests) some you should discard (like redirect) and some you really want to let through (like unreachable). Others are subject to policy (echo request/reply, although in this case I suggest letting them pass, but put a rate limit on them to avoid easy DoS). Simply dropping all ICMP is stupid and will lead to problems, as ICMP is an integral part of the IP protocol suite. Regards, Alex. -- "Opportunity is missed by most people because it is dressed in overalls and looks like work." -- Thomas A. Edison -- gentoo-security@g.o mailing list