Re: Packet filtering help

To: Brandon High <armitage@freaks.com>
Cc: debian-security@lists.debian.org
Subject: Re: Packet filtering help
From: Simon Murcott <simon@murcott.net>
Date: Tue, 10 Apr 2001 09:54:17 +1200 (NZST)
Message-id: <986853257.3ad22f892f75b@www.murcott.net>
In-reply-to: <Pine.LNX.4.21.0104091204330.5024-100000@schitzo.freaks.com>
References: <Pine.LNX.4.21.0104091204330.5024-100000@schitzo.freaks.com>

Quoting Brandon High <armitage@freaks.com>:

> I'm currently allowing ICMP to and from ports 0, 3 and 8. I'm just
> afraid
> that I'm breaking a few RFCs doing this.

One point of confusion to be aware of is that ICMP does not use ports. It has
types and codes.

Yes there is some ICMP that you do NOT want.

Pings (0 and 8) I recommend you decide, I prefer to have them but most MS
weenies hate them ;) Also time-exceeded (11) is used by traceroute.

Unreachables (3), source-quench (4) and parameter-problem (12) are very
important for anything connected to the net. There is some very detailed
information available as to why you need these available on the net so I won't
go into it here :p

Everything else I recommend to deny. Especially the network discovery types.

The only exception is that sometimes you ISP's router will send redirects to
other shared networks so you may want to accept redirects (5) ONLY FROM YOU
ISP's ROUTER. It is very important to not blindly accept redirects.

Have a look at /usr/include/netinet/ip_icmp.h for a starting point.

Regards

Simon Murcott
e. simon@murcott.net
m. +6421 304555

Reply to:

References:
- Packet filtering help
  - From: Brandon High <armitage@freaks.com>

Prev by Date: Re: Packet filtering help
Next by Date: Re: Packet filtering help
Previous by thread: Re: Packet filtering help
Next by thread: Re: Packet filtering help
Index(es):
- Date
- Thread