Re: ICMP drop.

To: Rudi Starcevic <rudi@oasis.net.au>
Cc: debian-firewall@lists.debian.org
Subject: Re: ICMP drop.
From: Daniel Pittman <daniel@rimspace.net>
Date: Fri, 10 Oct 2003 09:30:32 +1000
Message-id: <[🔎] 874qyirntz.fsf@enki.rimspace.net>
In-reply-to: <[🔎] 3F852715.2050700@oasis.net.au> (Rudi Starcevic's message of "Thu, 09 Oct 2003 19:15:01 +1000")
References: <[🔎] 3F84FC06.4020701@oasis.net.au> <[🔎] 87u16i27zm.fsf@enki.rimspace.net> <[🔎] 3F852715.2050700@oasis.net.au>

On Thu, 09 Oct 2003, Rudi Starcevic wrote:
>>This *will* make your life miserable, as you suddenly can't connect
>>to, or be connected to from, a large proportion of systems.
> 
> Thanks - sorry such novice questions.

That's fine -- you asked sensible questions, with obvious research, and
accepted assistance. That's more than a lot of people can manage. :)

[...]

> I've had Snort up and running only for a day or so and noticed an IP
> that first pinged me then followed up with loads of request on all
> sorts of ports which triggered dozens of alerts.

That would be todays Internet, sadly. If you don't have security from
second one you are on the network, you lose.  I miss the good old days
where there was a chance of a day passing before the first portscan...

> So I had the silly idea to drop icmp packets and be anonymous.

*nod*  It's a good idea, and something that is reasonable to do for
most ICMP packets.

> As I now know you'll also end up lonely if you drop icmp packets So it
> not really possible be anonymous. The machine just has to deal with
> the requests asked of it. 

Well, pretty much. A good firewall should ensure you never see most of
them anyway, but you can't do anything to make certain of not being
scanned.

Blocking some-but-not-all ICMP is good, though, especially if you have
Windows boxes behind your firewall.

Basically, you *must* allow the following ICMP packet types through, or
your network connection is less functional:

     ICMP 3  - destination unreachable
     ICMP 11 - TTL exceeded
     ICMP 12 - parameter problems

With iptables, the following rules will do that:

iptables -A proto-icmp -p icmp --icmp-type 3 -j ACCEPT
iptables -A proto-icmp -p icmp --icmp-type 11 -j ACCEPT
iptables -A proto-icmp -p icmp --icmp-type 12 -j ACCEPT
iptables -A proto-icmp -p icmp -j DROP

Obviously, you need to hook this into your system your way. :)

> The first step is to monitor those requests with something like Snort.

Personally, I don't bother monitoring with Snort for most of the
attacks. People attack, my firewall ignores it, all is well.

         Daniel

-- 
Some television is so much chewing gum for the eyes.
        -- John Mason Brown

Reply to:

Follow-Ups:
- Re: ICMP drop.
  - From: "M. Lucas" <m.lucas@taos-it.nl>

References:
- ICMP drop.
  - From: Rudi Starcevic <rudi@oasis.net.au>
- Re: ICMP drop.
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: ICMP drop.
  - From: Rudi Starcevic <rudi@oasis.net.au>

Prev by Date: ICMP Drop - Part II
Next by Date: Re: ICMP Drop - Part II
Previous by thread: Re: ICMP drop.
Next by thread: Re: ICMP drop.
Index(es):
- Date
- Thread