[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packet filtering help

Quoting Brandon High <armitage@freaks.com>:

> I'm currently allowing ICMP to and from ports 0, 3 and 8. I'm just
> afraid
> that I'm breaking a few RFCs doing this.

One point of confusion to be aware of is that ICMP does not use ports. It has
types and codes.

Yes there is some ICMP that you do NOT want.

Pings (0 and 8) I recommend you decide, I prefer to have them but most MS
weenies hate them ;) Also time-exceeded (11) is used by traceroute.

Unreachables (3), source-quench (4) and parameter-problem (12) are very
important for anything connected to the net. There is some very detailed
information available as to why you need these available on the net so I won't
go into it here :p

Everything else I recommend to deny. Especially the network discovery types.

The only exception is that sometimes you ISP's router will send redirects to
other shared networks so you may want to accept redirects (5) ONLY FROM YOU
ISP's ROUTER. It is very important to not blindly accept redirects.

Have a look at /usr/include/netinet/ip_icmp.h for a starting point.


Simon Murcott
e. simon@murcott.net
m. +6421 304555

Reply to: