Re: blocking icmp...
somian@adelphia.net writes:
> On Sun, May 25, 2003 at 01:09:29PM -0400, Kevin McKinley wrote:
> > On Sun, 25 May 2003 07:31:02 -0700
> > Paul Johnson <baloo@ursine.dyndns.org> wrote:
> >
> > > On Sun, May 25, 2003 at 09:56:07PM +0800, Hanz wrote:
> > > > In setting up a firewall will there be any negative side effects if
> > > > i block icmp?
> > >
> > > Well, other than it breaking the TCP/IP standard and making some
> > > servers think you don't exist (some ping back), no.
> >
> > How would declining to answer pings "break the TCP/IP standard"? That's like
> > saying if you don't answer the telephone you're breaking the telephone
> > standard.
>
> It's anti-social and hamfisted. Some CPAN servers are blocking icmp now
> and that makes it difficult to tell if they are even up. There are more
> precise and reasonable means, using netfilter (iptables) to protect
> against icmp DoS attacks. At the very least one shouldn't do something
> that one doesn't want others to do. Set a good example and all that.
For a server I'd agree. For a home system I'm not sure there's any
issue. I've been blocking all incoming, non-stateful, ICMP for a
number of years on my cable-connected LAN and have never had a
problem, but I don't run any type of globally accessible server.
Personally, I'd rather make my presence on the 'net as hard to
discover as possible. If you allow echo requests it's a simple matter
for someone to run nmap, for example, to find out that a particular IP
address is valid. If you block such messages any cracker will likely
just move on to the next poor slob when your IP address doesn't show
up on his nmap scan.
Gary
Reply to: