[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packet filtering help

I went to a talk by Paul "Rusty" Russell (who maintains the 
firewalling code in the Linux kernel) last year.  Now I don't have
my notes with me so I'm just going by my highly fallible memory
here, but Rusty definitely said that blocking ICMP was evil and
anti-social.  I can't remember the exact reason, but I think it
was something like:  on very high latency links (like say between
Europe and Australia on a bad day)  TCP connections can use
ICMP packets to verify that a host is still available before timing
out (not all TCP implementations actually do this, but according
to the RFC they can, and you should let them).  

Please don't flame me if I have got this hopelessly garbled.  :)

> On Mon, Apr 09, 2001 at 03:20:00PM -0400, Noah L. Meyerhans wrote: >
> Ask yourself this: *Why* should ICMP be filtered?  What are you
> gaining? > Do you sleep better at night knowing that your machine
> won't respond to > pings?  It really doesn't make you any safer.
> What are you gaining by responding to them?
> A decent policy is to drop everything you don't need to respond to.
> Now, if you need to reply to pings, etc. for debugging purposes, or
> for availability monitoring, etc. then that is a valid reason.
> > I don't feel like you gain any security by DENYing connections or by
> > filtering ICMP.
> You do gain some "security through obscurity."  Depending on how much
> you value this contributes to your subsequent choice.
> For instance, many script kiddies will not scan your entire box if you
> are undetected by a ping sweep.  Granted, if you have other
> vulnerabilities that you are hiding then you have bigger problems. 
> But it can buy you some time at least.
> I'm sure this is a perfectly flammable post, so discussion is
> encouraged. ;)
Paul Haesler                    paul@haesler.dyndns.org

Quidquid latine dictum sit, altum viditur

Reply to: