Re: blocking icmp, firewalls, ect...

[Dave Sherohman <esper@sherohman.org>]

On Sat, Feb 26, 2005 at 10:32:41PM -0500, Nizzardini, Chris wrote:
> What is the best solution IYO to blocking ICMP traffic.

Best solution is to not do it.  Blocking ICMP wholesale will break
many things.  (You can block certain ICMP message types without harm,
but I can't tell you offhand which can be blocked and which will
break things because I don't do it.)

> Comcast will get angry at me for running a web server, but I think
> Apache is the coolest thing so screw em!  How can I block port
> scans to my debian linux server.

a)  Apache uses TCP, not ICMP, so blocking ICMP wouldn't help you
hide a web server.

b)  In Minnesota, at least, Comcast doesn't actually care.  I know a
number of people (at least one of whom is on this list *ahem*) and
none have been contacted by Comcast regarding the http, ssh, ntp,
smtp, etc. servers they're running.  None have ever been portscanned
by Comcast, either.

Now, I'm not saying that you shouldn't set up a firewall, of course,
but just do it as a matter of general security, not because you think
you have to hide something from your ISP.  (Besides, if they have an
admin with half a brain, they'll be able to see that lots of other
people are connecting to your port 80 even if you do block the port
so they can't access it themselves.  If anything, that would just
bring them down harder on you because it would be obvious that you
were trying to hide it from them, which implies that you expected
them to not like it but did it anyhow.)

-- 
The freedoms that we enjoy presently are the most important victories of the
White Hats over the past several millennia, and it is vitally important that
we don't give them up now, only because we are frightened.
  - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html)