I have a question on ICMP, too.
On my box, I've set up some iptables rules, to only allow as much outgoing traffic as is needed by my running applications. My firewall's default policy is DROP. In order not to accidentally allow a programm to access the net, I have to deny all traffic, including ICMP messages (because information can be easily tunneled inside an ICMP packet).
The logical consequence of this is that my box doesn't respond to ping requests anymore, which I consider bad behaviour. I'd like to be able to deny ICMP messages for the userland executables, but the kernel (or net driver) should be still allowed to send ping responses.
Any suggestions on how I may achieve this? I hadn't any luck with '-m owner --uid-owner root'. Thanks
Alan Horn wrote:
Russell,
It's a bad idea to deny all icmp, it breaks things like mtu discovery. There are many different types of icmp, and although denying most is OK, some you should let in. Off the top of my head I don't recall the type numbers of the ones you want to drop, and the ones you want to keep
You're probably better off searching for the right ways to deny pings using ipchains or whatever firewall linux is uing nowadays. Then deny only specific types. Search engine is your friend in this regard since it's generally a very well solved problem.
Unless you know what you're doing with denying pings, in which case ignore what I just said :)
Cheers,
Al
On Mon, 8 Mar 2004, russell wrote:
Date: Mon, 08 Mar 2004 22:00:22 -0500 From: russell <simmonsr@xxxxxxxxxxx> Reply-To: fedora-list@xxxxxxxxxx To: fedora-list@xxxxxxxxxx Subject: denying ping
I'm trying to deny ping access on my new fedora box. I run: # echo 1
/proc/sys/net/ipv4/icmp_echo_ignore_all, but this doen't work. Does
anyone have any ideas how to deny icmp requests on fedora?
tia
russell
