Re: Off Topic: iptables, ping, traceroute

To: debian-user@lists.debian.org
Subject: Re: Off Topic: iptables, ping, traceroute
From: John Patton <patton66@home.com>
Date: Tue, 17 Jul 2001 13:45:44 -0500
Message-id: <[🔎] 20010717134544.A13476@debian>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20010717162225.B6092@frodo.uni-erlangen.de>
References: <[🔎] 20010716143029.B4303@bodach.org> <[🔎] 20010716162033.A24224@debian> <[🔎] 20010717162225.B6092@frodo.uni-erlangen.de>

 Tue, Jul 17, 2001 at 04:22:25PM +0200, Walter Hofmann wrote:
> On Mon, 16 Jul 2001, John Patton wrote:
> 
> > On Mon, Jul 16, 2001 at 02:30:29PM -0500, William Jensen wrote:
> > > I've setup a fairly restrictive set of rules for iptables and have been,
> > > up to this point, extremely satisfied with its performance.  However,
> > > I've recently started having some signifiant issues with my cable modem
> > > provider and they routinely want to ping and traceroute to my machine.
> > > This requires me to take down my firewall and wait for them to finish,
> > > then put it back up.  I'd like to make, as part of my rule set, ping and
> > > traceroute able to get through.  So far I've done this for my input chain
> > > for ping
> > > 
> > >     -A INPUT -p icmp -j ACCEPT
> > > 
> > >     For traceroute I've done this:
> > > 
> > >     -A INPUT -p ip -j ACCEPT
> > > 
> > > These appear to work, however, am I overlooking something from a
> > > security
> > > point of view by allowing any icmp and ip's through?  Is there a
> > > better
> > > way?
> > 
> > You could further limit your rules by specifying the source
> > address of you cable modem provider, something like:
> > 
> >      -A INPUT -p icmp -s provider.cable.net -j ACCEPT
> 
> If William blocks all ICMP packets then I'm not suprised that he has
> connection problems. ICMP is there for a reason. In particular, if he
> blocks ICMP type destination-unreachable/fragmentation-needed then all
> his connections, which, at some point, run over a low MTU link will
> break sooner or later. This usually happens after the first big packet
> gets send over the connection. 
> This is because blocking ICMP breaks PMTU discovery.
> 
> Really, ICMP is there for a reason. Nobody should expect to get away
> with blocking it, unless they are accepting random connection hangs and
> similar problems.

Using iptables with connection tracking, it isn't a problem
as long as established/related stuff is let in. If William
is running public services, most icmp protocols should be
allowed from whom-ever, but if he is simply trying to make
his stand-alone private machine invisible to ping sweeps,
then blocking icmp is perfectly reasonable, and won't cause
any problems.

-- 
John Patton                      patton66@home.com

"Believe those who are seeking the truth; doubt those who
find it."  - Andre Gide

Reply to:

References:
- Off Topic: iptables, ping, traceroute
  - From: William Jensen <jensenb@bodach.org>
- Re: Off Topic: iptables, ping, traceroute
  - From: John Patton <patton66@home.com>
- Re: Off Topic: iptables, ping, traceroute
  - From: Walter Hofmann <walterh@gmx.de>

Prev by Date: Re: Adding a user to a group
Next by Date: Sound Support
Previous by thread: Re: Off Topic: iptables, ping, traceroute
Next by thread: Re: Off Topic: iptables, ping, traceroute
Index(es):
- Date
- Thread