Re: Off Topic: iptables, ping, traceroute
Hi!
Just an interesting note....
We had traceroute and ping disabled on our firewall, and our support guy got
_deluged_ with calls from ppl claiming the server was down 'cos they couldnt
ping it. They had tried to actually use the service it offered of course
(typical lusers!).
So consider what costs you might incur if you disable icmp. AFAIK several of the
"Internet for Dummies" type books suggest pinging away at servers whenever there
is any sort of lag - and let's face it, the support dudes already have a rough
enough job, without 500 calls that "the server is down!".
JPF
William Jensen wrote:
> I've setup a fairly restrictive set of rules for iptables and have been,
> up to this point, extremely satisfied with its performance. However,
> I've recently started having some signifiant issues with my cable modem
> provider and they routinely want to ping and traceroute to my machine.
> This requires me to take down my firewall and wait for them to finish,
> then put it back up. I'd like to make, as part of my rule set, ping and
> traceroute able to get through. So far I've done this for my input chain
> for ping
>
> -A INPUT -p icmp -j ACCEPT
>
> For traceroute I've done this:
>
> -A INPUT -p ip -j ACCEPT
>
> These appear to work, however, am I overlooking something from a
> security
> point of view by allowing any icmp and ip's through? Is there a
> better
> way?
>
> Thanks,
>
> Wm
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: