Re: Ping and firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Di, den 02.08.2005 schrieb Edward Dekkers um 10:43:

> I have a rule in my firewall's INPUT chain to drop incoming ICMP.

Sorry to say, but that is braindead (no offense).
ICMP is an important protocol and does not only know the echo-request
and echo-reply types. A proper network relies on proper ICMP
transmission.

> The net result of this is that when I'm testing, and I ping outwards, 
> the echoes don't come back.

Not only that. Again, you are shooting into your own feet with that
blackwhole setup.

> The rule looks like this:
> 
> echo "	Dropping ICMP from outside"
> $IPTABLES -A INPUT -i $EXTIF -p icmp -j DROP
> $IPTABLES -A FORWARD -j LOG

http://www.faqs.org/docs/iptables/icmptypes.html

So *if* you really think you gain anything by blocking incoming ping
recho requests, then only handles ICMP types 0 and 8 within your ruleset
and let all other types flow.

> On the forward chain I have this:
> 
> echo "   FWD: Allow all connections OUT and only existing and related 
> ones IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> 
> Can something similar be done for ICMP? i.e. allow echo ICMP packets 
> back in only if I've pinged somebody?

http://www.faqs.org/docs/iptables/icmpconnections.html

> Regards,
> Ed.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 15:25:24 up 17 days, 19:57, load average: 0.20, 0.26, 0.18 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux