Re: droping internal network icmp usign forward

To: "debian-firewall@lists.debian.org" <debian-firewall@lists.debian.org>
Subject: Re: droping internal network icmp usign forward
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Sun, 15 Oct 2006 18:05:36 +0200
Message-id: <[🔎] 45325C50.6020902@plouf.fr.eu.org>
In-reply-to: <[🔎] 4530EA36.8050201@cnt.uo.edu.cu>
References: <[🔎] 4530EA36.8050201@cnt.uo.edu.cu>

Hello,

luis a écrit :

hi there ani advise to drop icmp usign forward?
example iptables -A FORWARD -s 10.30.0.0/24 -d $mylan(10.30.146.4/24) -picmp -j DROP
is that ok?

Well, it drops ICMP packets which hit the rule and match the source anddestination address conditions. However it won't drop packets whichdon't hit the rule for any reason or don't match the address conditions.

well is not working here i tho


Aren't there any rules placed before that my accept the packets ?

Don't forget that the classic "-m state RELATED,ESTABLISHED" conditionwhich is often placed at the beginning of a chain matches any valid ICMPerror packet (destination unreachable, time exceeded...).

also i would like to drop the port to avoid nmap scan from outside to mynetwork


Huh ? What do you mean exactly by "drop the port" ?

Reply to:

References:
- droping internal network icmp usign forward
  - From: luis <itachi@cnt.uo.edu.cu>

Prev by Date: Re: Port Forward by MAC
Next by Date: Re: droping internal network icmp usign forward
Previous by thread: droping internal network icmp usign forward
Next by thread: Re: droping internal network icmp usign forward
Index(es):
- Date
- Thread