[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange firewall logs

Ah, looking at my firewall I've got:

-A output -s -d -p 17 -j ACCEPT
-A output -s -d -j REJECT -l
-A output -s -d -j REJECT -l
-A input -s -d -j DENY -l
-A input -s -d -j DENY -l

So from what you are saying I should add:

-A output -s 0 -d -p 1 -j ACCEPT
-A output -s 3 -d -p 1 -j ACCEPT
-A output -s 4 -d -p 1 -j ACCEPT
-A output -s 8 -d -p 1 -j ACCEPT
-A output -s 11 -d -p 1 -j ACCEPT
-A output -s 12 -d -p 1 -j ACCEPT


Should these be allowable from to anywhere? And would the ICMP
port orginate on the end or the destination end?


On Sun, 11 Feb 2001, Simon Murcott wrote:

> Tim Bishopric wrote:
> > This log shows that Ipchains is rejecting outbound loopback (lo) traffic with a source IP of and a destination of  Protocol 1 is ICMP (see /etc/services) and I think type 3 reports "destination unreachable."  If you block ICMP, you will have problems with DNS, timeouts, etc.
> >
> > More info:
> > http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html#2
> It is definitely not wise to block ICMP unreachables, source-quench, parameter-problem and time-exceeded. But it is wise to block ICMP redirect, timestamp-(req|reply), info-(req|reply) and address-(req|reply). The only exception is that if you can trust a router then it MAY be ok to accept redirects
> from it.
> I leave pings up to your descretion :p
> I usually recommend blocking all ICMP except for:
>      0 echo reply (ping reply)
>      3 destination unreachable
>      4 source quench
>      8 echo request (ping)
>     11 time exceeded
>     12 parameter problem
> This stuff is all diagnostics, the rest has questionable use (even on internal networks).
> Regards
> Simon Murcott
> e. simon@murcott.net
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: