redhat-config-securitylevel vs redhat-config-firewall?
Dax Kelson
Dax at GuruLabs.com
Wed Oct 8 05:35:24 UTC 2003
On Mon, 2003-10-06 at 22:11, Tommy McNeely wrote:
> WOW! I can actually use the built in firewall right out of the box (for my
> laptop anyhow)... although I don't recall the option to allow ipsec vpn
> traffic, its in there (50 & 51 below), and RELATED,ESTABLISHED ! YAY!
>
> However, I question the allowing of ALL ICMP traffic in?
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>
> I usually only allow "related/established" and don't have any troubles
> ... actually a lot of the dumber viruses/worms pass me by cause I respond
> with an error on icmp echo. ofcourse they can't infect me, and I don't
> know if allowing all icmp traffic even poses a vulnerability, but I have
> always blocked it?
Tommy, I submitted the patch to RH that redid the core rules to be
stateful.
It's a good net citizen behavior to allow incoming ICMP echo requests
(PING). One reason is that most DHCP servers double check IP address
availability before handing out leases.
My original patch allowed incoming ICMP echo requests, and packets
"RELATED" to existing connections.
My understanding is that RELATED should catch and allow all ICMP error
messages "related" to current, valid connections. This included ICMP
"need to fragment" messages.
In a conservative move, as to not break things (google on ICMP need to
fragment), RH changed the rules I supplied to allow all incoming ICMP
messages, solicited or not.
There is a current friendly disagreement (between myself and some RH
folks) on if RELATED catches the ICMP error messages or not. I've not
had the time to setup my lab topology to do a real live test, but I
believe it does and the change RH made was unneeded.
Anyway, while IMO, it isn't ideal to allow all incoming ICMP, it isn't
that big of deal, the exposure is extremely minimal and likely
inconsequential.
Dax Kelson
Guru Labs
More information about the test
mailing list