On Mon, Apr 09, 2001 at 12:05:18PM -0700, Brandon High wrote:
> How should ICMP packets be filtered? I'm was blocking them all, but I was
> getting a lot of traffic in my logs like:
> kernel: Packet log: input DENY eth1 PROTO=1 216.242.53.162:3 x.y.z.82:3 L=56 S=0x00
>I=25760 F=0x0000 T=243 (#27)
> kernel: Packet log: input DENY eth1 PROTO=1 211.184.206.194:8 x.y.z.82:0 L=60 S=0x00
>I=65280 F=0x0000 T=15 (#5)
Ask yourself this: *Why* should ICMP be filtered? What are you gaining?
Do you sleep better at night knowing that your machine won't respond to
pings? It really doesn't make you any safer.
> Is it a better idea to DENY or REJECT? What does Ye Olde RFC recommend?
> Which is safer?
REJECT causes an "icmp port unreachable" message to be sent to the
originating host. DENY doesn't. Connecting to a REJECT rule gives a
"connection refused" error, while connecting to a DENY rule just sits
there until the connection times out. It's polite to REJECT, and I do
believe it's specified in an RFC, but I'm not sure. By default, if you
aren't using ipchains at all, a connection to a closed port results in
an ICMP port unreachable message being sent.
I don't feel like you gain any security by DENYing connections or by
filtering ICMP.
noah
--
_______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html
PGP signature
