Rick Stevens wrote:
On Wed, 2007-12-05 at 16:00 -0800, Daniel B. Thurman wrote:
Craig White wrote:
Sent: Wednesday, December 05, 2007 3:33 PM
To: For users of Fedora
Subject: Re: Questions about ICMP
On Wed, 2007-12-05 at 15:27 -0800, Daniel B. Thurman wrote:
Should ICMP packets be allowed both over the
Internet or should it be allowed to pass only in
the local networks?
I have a firewall appliance and trying to make sure
that I am being secured properly.
----
disabling icmp echo requests is a great feature for the ultra-paranoid
Craig
--
So... am I to read this as it is a good idea to disable all icmp
requests? I get a LOT of ICMP requests from the Internet probing
at my ports, which are disabled. This is a good idea?
There is no reason for people to ICMP you unless they're just snooping
to see what IPs are in use--and that can indicate an oncoming hack
attempt. It is a very good idea to turn it off.
Bah humbug.
If I want to know whether you're running an email server, I'll just open
a connexion. A failure tells me all I need to know. icmp (other than
those necessary for the transaction) has nothing to do with it.
The _only_ risks I know with icmp are
1. DoS by overloading your connexion.
Can equally well be done with other IP traffic such as UDP or TCP.
Can't usefully be blocked by you anyway, by the time the traffic reaches
your gateway the harm is done. Has to be blocked at your ISP or further out.
2. Actually breaking your kernel. It has happened (teardrop I think did
that some years ago).
I'm not going to worry about that one, there are many greater risks to
being on the 'net.
I do...at least at my router/firewall. The Internet doesn't need to
know I'm there. Internally I leave it enabled so I can verify my
machines are alive (that and SNMP stuff). So if you're on my private
network, pings are OK. I ignore attempts from the outside (in iptables
parlance, "-j DROP").
My requirements are a little different, I run some of my own Internet
services and need to connect to other machines I control.
At my firewall I log and drop unwelcome traffic, I rate-limit some
traffic (it's hard to enumerate accounts and passwords at five
connexions per hour), and log and reject unwanted traffic within one of
my LANs.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)