Re: Questions about ICMP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rick Stevens wrote:
On Wed, 2007-12-05 at 16:00 -0800, Daniel B. Thurman wrote:
Craig White wrote:

Sent: Wednesday, December 05, 2007 3:33 PM
To: For users of Fedora
Subject: Re: Questions about ICMP


On Wed, 2007-12-05 at 15:27 -0800, Daniel B. Thurman wrote:
Should ICMP packets be allowed both over the
Internet or should it be allowed to pass only in
the local networks?

I have a firewall appliance and trying to make sure
that I am being secured properly.
----
disabling icmp echo requests is a great feature for the ultra-paranoid

Craig

--
So... am I to read this as it is a good idea to disable all icmp
requests?  I get a LOT of ICMP requests from the Internet probing
at my ports, which are disabled.  This is a good idea?

There is no reason for people to ICMP you unless they're just snooping
to see what IPs are in use--and that can indicate an oncoming hack
attempt.  It is a very good idea to turn it off.

Bah humbug.
If I want to know whether you're running an email server, I'll just open a connexion. A failure tells me all I need to know. icmp (other than those necessary for the transaction) has nothing to do with it.

The _only_ risks I know with icmp are
1. DoS by overloading your connexion.
Can equally well be done with other IP traffic such as UDP or TCP.
Can't usefully be blocked by you anyway, by the time the traffic reaches your gateway the harm is done. Has to be blocked at your ISP or further out. 2. Actually breaking your kernel. It has happened (teardrop I think did that some years ago). I'm not going to worry about that one, there are many greater risks to being on the 'net.


I do...at least at my router/firewall.  The Internet doesn't need to
know I'm there.  Internally I leave it enabled so I can verify my
machines are alive (that and SNMP stuff).  So if you're on my private
network, pings are OK.  I ignore attempts from the outside (in iptables
parlance, "-j DROP").

My requirements are a little different, I run some of my own Internet services and need to connect to other machines I control.

At my firewall I log and drop unwelcome traffic, I rate-limit some traffic (it's hard to enumerate accounts and passwords at five connexions per hour), and log and reject unwanted traffic within one of my LANs.



--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux