Re: ICMP drop.

["M. Lucas" <m.lucas@taos-it.nl>]

On Fri, 2003-10-10 at 01:30, Daniel Pittman wrote:
> On Thu, 09 Oct 2003, Rudi Starcevic wrote:
> > So I had the silly idea to drop icmp packets and be anonymous.
> 
> *nod*  It's a good idea, and something that is reasonable to do for
> most ICMP packets.
> 
> > As I now know you'll also end up lonely if you drop icmp packets So it
> > not really possible be anonymous. The machine just has to deal with
> > the requests asked of it. 
> 
> Well, pretty much. A good firewall should ensure you never see most of
> them anyway, but you can't do anything to make certain of not being
> scanned.
> 
> Blocking some-but-not-all ICMP is good, though, especially if you have
> Windows boxes behind your firewall.
> 
> Basically, you *must* allow the following ICMP packet types through, or
> your network connection is less functional:
> 
>      ICMP 3  - destination unreachable
>      ICMP 11 - TTL exceeded
>      ICMP 12 - parameter problems
> 
I have only the following rules for ICMP traffic and they work fine with
all kind of windows servers behind them.

${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type echo-reply -j ACCEPT
${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type destination-unreachable
-j ACCEPT
${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type time-exceeded -j ACCEPT

The rest will be dropped.

The echo-reply works because on some interfaces the icmp-request is also
permitted.

So you don't need to allow type 3,11,12

Maurice Lucas