[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packet filtering help

On Mon, Apr 09, 2001 at 12:05:18PM -0700, Brandon High wrote:
> How should ICMP packets be filtered? I'm was blocking them all, but I was
> getting a lot of traffic in my logs like:
> kernel: Packet log: input DENY eth1 PROTO=1 x.y.z.82:3 L=56 S=0x00 I=25760 F=0x0000 T=243 (#27)
> kernel: Packet log: input DENY eth1 PROTO=1 x.y.z.82:0 L=60 S=0x00 I=65280 F=0x0000 T=15 (#5)

Ask yourself this: *Why* should ICMP be filtered?  What are you gaining?
Do you sleep better at night knowing that your machine won't respond to
pings?  It really doesn't make you any safer.

> Is it a better idea to DENY or REJECT? What does Ye Olde RFC recommend?
> Which is safer?

REJECT causes an "icmp port unreachable" message to be sent to the
originating host.  DENY doesn't.  Connecting to a REJECT rule gives a
"connection refused" error, while connecting to a DENY rule just sits
there until the connection times out.  It's polite to REJECT, and I do
believe it's specified in an RFC, but I'm not sure.  By default, if you
aren't using ipchains at all, a connection to a closed port results in
an ICMP port unreachable message being sent.

I don't feel like you gain any security by DENYing connections or by
filtering ICMP.


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpUBvvHVBXye.pgp
Description: PGP signature

Reply to: