Ping and firewall
Alexander Dalloz
ad+lists at uni-x.org
Tue Aug 2 13:32:04 UTC 2005
Am Di, den 02.08.2005 schrieb Edward Dekkers um 10:43:
> I have a rule in my firewall's INPUT chain to drop incoming ICMP.
Sorry to say, but that is braindead (no offense).
ICMP is an important protocol and does not only know the echo-request
and echo-reply types. A proper network relies on proper ICMP
transmission.
> The net result of this is that when I'm testing, and I ping outwards,
> the echoes don't come back.
Not only that. Again, you are shooting into your own feet with that
blackwhole setup.
> The rule looks like this:
>
> echo " Dropping ICMP from outside"
> $IPTABLES -A INPUT -i $EXTIF -p icmp -j DROP
> $IPTABLES -A FORWARD -j LOG
http://www.faqs.org/docs/iptables/icmptypes.html
So *if* you really think you gain anything by blocking incoming ping
recho requests, then only handles ICMP types 0 and 8 within your ruleset
and let all other types flow.
> On the forward chain I have this:
>
> echo " FWD: Allow all connections OUT and only existing and related
> ones IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
>
> Can something similar be done for ICMP? i.e. allow echo ICMP packets
> back in only if I've pinged somebody?
http://www.faqs.org/docs/iptables/icmpconnections.html
> Regards,
> Ed.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 15:25:24 up 17 days, 19:57, load average: 0.20, 0.26, 0.18
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050802/d6bb8ccf/attachment-0001.sig>
More information about the fedora-list
mailing list