On Mon, Apr 09, 2001 at 12:05:18PM -0700, Brandon High wrote: > How should ICMP packets be filtered? I'm was blocking them all, but I was > getting a lot of traffic in my logs like: > kernel: Packet log: input DENY eth1 PROTO=1 216.242.53.162:3 x.y.z.82:3 L=56 S=0x00 I=25760 F=0x0000 T=243 (#27) > kernel: Packet log: input DENY eth1 PROTO=1 211.184.206.194:8 x.y.z.82:0 L=60 S=0x00 I=65280 F=0x0000 T=15 (#5) Ask yourself this: *Why* should ICMP be filtered? What are you gaining? Do you sleep better at night knowing that your machine won't respond to pings? It really doesn't make you any safer. > Is it a better idea to DENY or REJECT? What does Ye Olde RFC recommend? > Which is safer? REJECT causes an "icmp port unreachable" message to be sent to the originating host. DENY doesn't. Connecting to a REJECT rule gives a "connection refused" error, while connecting to a DENY rule just sits there until the connection times out. It's polite to REJECT, and I do believe it's specified in an RFC, but I'm not sure. By default, if you aren't using ipchains at all, a connection to a closed port results in an ICMP port unreachable message being sent. I don't feel like you gain any security by DENYing connections or by filtering ICMP. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpUBvvHVBXye.pgp
Description: PGP signature