Re: ICMP Drop - Part II

To: Menno Scholten <m.scholten@planet.nl>
Cc: debian-firewall@lists.debian.org
Subject: Re: ICMP Drop - Part II
From: Daniel Pittman <daniel@rimspace.net>
Date: Fri, 10 Oct 2003 09:33:08 +1000
Message-id: <[🔎] 87zngaq957.fsf@enki.rimspace.net>
In-reply-to: <[🔎] 3F85BDE6.3080002@planet.nl> (Menno Scholten's message of "Thu, 09 Oct 2003 21:58:30 +0200")
References: <[🔎] 3F85BDE6.3080002@planet.nl>

On Thu, 09 Oct 2003, Menno Scholten wrote:
> After reading the concerns about dropping ICMP packets I was wondering
> if this also applies to a firewall with all inbound traffic blocked. 

Yes. If you block the 'destination unreachable, fragmentation needed'
packets, you will no longer be able to get large packets from a fair
proportion of the Internet -- enough to annoy, but not enough to cripple
the connection. 

> I block everything from the outside and SNAT internet traffic from my
> local workstations to my external IP. If those 'fragmentation needed'
> packets are sent to my IP, they would only come in reply to a
> connection I've made and thus be associated with an existing
> connection right? So they would be accepted as part of the NAT'ed
> connection.

If you have a rule that says accept 'RELATED' packets, the ICMP will be
accepted, as long as the association can be determined.

> Is the above true? I understand about applications that work on an IP
> to IP basis like MSN, but am I right for everything that works without
> special firewall rules?

Yes, with the iptables 'connection tracking' stuff and the 'RELATED'
state.

> Hope this is not too stupid of a question..

Nope. Well asked. :)
      Daniel

-- 
The only place men want depth in a woman is in her décolletage.
        -- Zsa Zsa Gabor

Reply to:

References:
- ICMP Drop - Part II
  - From: Menno Scholten <m.scholten@planet.nl>

Prev by Date: Re: ICMP drop.
Next by Date: Re: ICMP drop.
Previous by thread: ICMP Drop - Part II
Next by thread: Spam
Index(es):
- Date
- Thread