Packet filtering help

To: debian-security@lists.debian.org
Subject: Packet filtering help
From: Brandon High <armitage@freaks.com>
Date: Mon, 9 Apr 2001 12:05:18 -0700 (PDT)
Message-id: <Pine.LNX.4.21.0104091204330.5024-100000@schitzo.freaks.com>

I've tightened my filtering rules recently, but have a few questions
regarding TCP SYN packets and ICMP packets.

Supposing I'm ACCEPTing on TCP ports 22, 25 and 80.
I am ACCEPTing all packets for these 3 ports.
I am ACCEPTing non-SYN for ports > 1023
I am DENYing for all other packets.

How should ICMP packets be filtered? I'm was blocking them all, but I was
getting a lot of traffic in my logs like:
kernel: Packet log: input DENY eth1 PROTO=1 216.242.53.162:3 x.y.z.82:3 L=56 S=0x00 I=25760 F=0x0000 T=243 (#27)
kernel: Packet log: input DENY eth1 PROTO=1 211.184.206.194:8 x.y.z.82:0 L=60 S=0x00 I=65280 F=0x0000 T=15 (#5)

I'm currently allowing ICMP to and from ports 0, 3 and 8. I'm just afraid
that I'm breaking a few RFCs doing this.

Also...

Is it a better idea to DENY or REJECT? What does Ye Olde RFC recommend?
Which is safer?

-B

-- 
Brandon High                                     armitage@freaks.com
Stress is when you wake up screaming & you realize you haven't fallen
asleep yet.

Reply to:

Follow-Ups:
- Re: Packet filtering help
  - From: "Noah L. Meyerhans" <frodo@morgul.net>
- Re: Packet filtering help
  - From: Simon Murcott <simon@murcott.net>
- Re: Packet filtering help
  - From: Simon Murcott <simon@murcott.net>

Prev by Date: Re: port 111.
Next by Date: Re: Packet filtering help
Previous by thread: Re: Droping untracked packet
Next by thread: Re: Packet filtering help
Index(es):
- Date
- Thread