Am Di, den 02.08.2005 schrieb Edward Dekkers um 10:43:
I have a rule in my firewall's INPUT chain to drop incoming ICMP.
Sorry to say, but that is braindead (no offense).
ICMP is an important protocol and does not only know the echo-request
and echo-reply types. A proper network relies on proper ICMP
transmission.
The net result of this is that when I'm testing, and I ping
outwards,
the echoes don't come back.
Not only that. Again, you are shooting into your own feet with that
blackwhole setup.
The rule looks like this:
echo " Dropping ICMP from outside"
$IPTABLES -A INPUT -i $EXTIF -p icmp -j DROP
$IPTABLES -A FORWARD -j LOG
http://www.faqs.org/docs/iptables/icmptypes.html
So *if* you really think you gain anything by blocking incoming ping
recho requests, then only handles ICMP types 0 and 8 within your ruleset
and let all other types flow.
On the forward chain I have this:
echo " FWD: Allow all connections OUT and only existing and related
ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
Can something similar be done for ICMP? i.e. allow echo ICMP packets
back in only if I've pinged somebody?
http://www.faqs.org/docs/iptables/icmpconnections.html
Regards,
Ed.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG
http://pgp.mit.edu 0xB366A773
legal statement:
http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 15:25:24 up 17 days, 19:57, load average: 0.20, 0.26, 0.18