Gentoo Archives: gentoo-security

From: "Paul S." <snafu@××××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Sun, 11 Jan 2004 14:18:35
Message-Id: 40015AED.9090803@forkbomb.dhs.org
In Reply to: Re: [gentoo-security] firewall suggestions? by Stephen Clowater
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Clowater wrote:

| You can not Block ICMP, it breaks tcp, its a "controll Message Prococol"
| for a reason. If you block it, you can not send squelches, routes
| unreachable, ect. Point being, block ICMP on your local box, you will
| see a few odd problems, but nothing to devestaing. Block it on a pice of
| networking hardware, you will $%@#$ up a network.

Without attempting to make the thread any longer, the problem with the
above logic is that it assumes that the 'firewall' system is not working
with 'related' packets. You can drop all the ICMP traffic you want, the
required ICMP packets will still get out (and in) so long as the
'firewall' system keeps track of 'related sessions'. If an ICMP packet
needs to get in and it's related to a current session, the firewall will
let it in. If it's unrelated, it's dropped (of course).

And that's the whole purpose of ip_conntrack. Any decent 'firewalling'
script will implement this. Of course, I've been using Seawall (2.2) and
Shorewall (2.4+) for years now without a glitch on personal and
corporate/production 'firewalls' and routers.

Try:
"Keeping track of packets: The state match"
http://www.linux-mag.com/2000-01/bestdefense_03.html
(part of)
"BEST DEFENSE: Network Security With Linux 2.4"
http://www.linux-mag.com/2000-01/bestdefense_01.html

modprobe ip_conntrack
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Regards,
Paul <snafu@××××××××××××.org>

BLOG: http://forkbomb.dhs.org/bs/
GPG Key: http://forkbomb.dhs.org/bs/snafu.asc
- ---
Life would be so much easier if we could just look at the source code.
~        -- Dave Olson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAAVrtNQvzkbg+TpsRAutAAJ40Bk+FwG5UZoXW95d8SXmnHZ/ljACeNzWE
usrHkixM2uPsL1D5Zbie0nE=
=HlVb
-----END PGP SIGNATURE-----

--
gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] firewall suggestions? Stephen Clowater <steve@×××××××××××××××××.org>