Re: ICMP drop.
On Fri, 2003-10-10 at 01:30, Daniel Pittman wrote:
> On Thu, 09 Oct 2003, Rudi Starcevic wrote:
> > So I had the silly idea to drop icmp packets and be anonymous.
>
> *nod* It's a good idea, and something that is reasonable to do for
> most ICMP packets.
>
> > As I now know you'll also end up lonely if you drop icmp packets So it
> > not really possible be anonymous. The machine just has to deal with
> > the requests asked of it.
>
> Well, pretty much. A good firewall should ensure you never see most of
> them anyway, but you can't do anything to make certain of not being
> scanned.
>
> Blocking some-but-not-all ICMP is good, though, especially if you have
> Windows boxes behind your firewall.
>
> Basically, you *must* allow the following ICMP packet types through, or
> your network connection is less functional:
>
> ICMP 3 - destination unreachable
> ICMP 11 - TTL exceeded
> ICMP 12 - parameter problems
>
I have only the following rules for ICMP traffic and they work fine with
all kind of windows servers behind them.
${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type echo-reply -j ACCEPT
${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type destination-unreachable
-j ACCEPT
${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type time-exceeded -j ACCEPT
The rest will be dropped.
The echo-reply works because on some interfaces the icmp-request is also
permitted.
So you don't need to allow type 3,11,12
Maurice Lucas
Reply to: