I have a question on ICMP, too.
On my box, I've set up some iptables rules, to only allow as much outgoing traffic as is needed by my running applications. My firewall's default policy is DROP. In order not to accidentally allow a programm to access the net, I have to deny all traffic, including ICMP messages (because information can be easily tunneled inside an ICMP packet).
Wow. That's pretty paranoid (and depending on what your allowed traffic is possibly completely extraneous).
The logical consequence of this is that my box doesn't respond to ping requests anymore, which I consider bad behaviour. I'd like to be able to deny ICMP messages for the userland executables, but the kernel (or net driver) should be still allowed to send ping responses.
Try something like the following...
In your input chain: -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
In your output chain:
-A RH-Firewall-1-OUTPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
That should, if it's working correctly, only allow echo-reply packets that are responding to an incoming echo-request.
Any suggestions on how I may achieve this? I hadn't any luck with '-m owner --uid-owner root'. Thanks
You probably -really- want to start looking into SELinux, which offers much more fine grained security over what processes are or are not allowed to do.
