Re: Off Topic: iptables, ping, traceroute
On Mon, 16 Jul 2001, John Patton wrote:
> On Mon, Jul 16, 2001 at 02:30:29PM -0500, William Jensen wrote:
> > I've setup a fairly restrictive set of rules for iptables and have been,
> > up to this point, extremely satisfied with its performance. However,
> > I've recently started having some signifiant issues with my cable modem
> > provider and they routinely want to ping and traceroute to my machine.
> > This requires me to take down my firewall and wait for them to finish,
> > then put it back up. I'd like to make, as part of my rule set, ping and
> > traceroute able to get through. So far I've done this for my input chain
> > for ping
> >
> > -A INPUT -p icmp -j ACCEPT
> >
> > For traceroute I've done this:
> >
> > -A INPUT -p ip -j ACCEPT
> >
> > These appear to work, however, am I overlooking something from a
> > security
> > point of view by allowing any icmp and ip's through? Is there a
> > better
> > way?
>
> You could further limit your rules by specifying the source
> address of you cable modem provider, something like:
>
> -A INPUT -p icmp -s provider.cable.net -j ACCEPT
If William blocks all ICMP packets then I'm not suprised that he has
connection problems. ICMP is there for a reason. In particular, if he
blocks ICMP type destination-unreachable/fragmentation-needed then all
his connections, which, at some point, run over a low MTU link will
break sooner or later. This usually happens after the first big packet
gets send over the connection.
This is because blocking ICMP breaks PMTU discovery.
Really, ICMP is there for a reason. Nobody should expect to get away
with blocking it, unless they are accepting random connection hangs and
similar problems.
Walter
Reply to: