I block all pings to my mail/dns-server at the firewall. Now in my fw-logs I found that everytime I get a mail from a certain domain, I have two ping-entries in the logfiles. I found that it is the DNS-Server of the sender which is pinging me. 1. Why does the other DNS-Server ping me? (And send the mail after 2 failed attempts) 2. Should I allow ping to the mail/dns server? What implications would that have? Thanks Raffy
I hope you are just blocking ping and *not* icmp. Blocking icmp will break alot of things. It will also break path-mtu discovery. In all honesty, blocking ping does no good for you. If somebody is ping flooding you, your firewall still has to deal with the packets, which if its alot of pings will increase the load on your firewall(obviously dependent on your firewalls hardware). In order to not break network services you should go through and only block the icmp traffic you don't need. (I'll post of list of such traffic in a while) -miah On Tue, Dec 12, 2000 at 01:36:58PM +0100, Raffael Arthur Marty wrote:
I block all pings to my mail/dns-server at the firewall. Now in my fw-logs I found that everytime I get a mail from a certain domain, I have two ping-entries in the logfiles. I found that it is the DNS-Server of the sender which is pinging me.
1. Why does the other DNS-Server ping me? (And send the mail after 2 failed attempts) 2. Should I allow ping to the mail/dns server? What implications would that have?
Thanks
Raffy
Hi. I think you have it backwards here: Firewalls should _always_ be configured as default DENY (or DROP with NetFilter), then open up those you really need and want. Concerning ICMP, here is what I do with most of the firewalls I configured: Outbound: - echo-request (ping) Inbound: - echo-reply (pong) - fragmentation-needed (for pmtu-discovery) - source-quench (router is overloaded) - time-exceeded - parameter-problem Hope that helps Greetings olli On Tue, 12 Dec 2000 jjohnson@penguincomputing.com wrote:
I hope you are just blocking ping and *not* icmp. Blocking icmp will break alot of things. It will also break path-mtu discovery. In all honesty, blocking ping does no good for you. If somebody is ping flooding you, your firewall still has to deal with the packets, which if its alot of pings will increase the load on your firewall(obviously dependent on your firewalls hardware). In order to not break network services you should go through and only block the icmp traffic you don't need. (I'll post of list of such traffic in a while)
-miah
On Tue, Dec 12, 2000 at 01:36:58PM +0100, Raffael Arthur Marty wrote:
I block all pings to my mail/dns-server at the firewall. Now in my fw-logs I found that everytime I get a mail from a certain domain, I have two ping-entries in the logfiles. I found that it is the DNS-Server of the sender which is pinging me.
1. Why does the other DNS-Server ping me? (And send the mail after 2 failed attempts) 2. Should I allow ping to the mail/dns server? What implications would that have?
Thanks
Raffy
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--
--------------------------------------
Oliver Hensel
Hi. Some additions concerning the load on your firewall: The problem of DENY-rules is the amount of logging (an attacker can very easily flood your packet filter with disallowed packets and thus filling up your logs and your hard disk). You can circumvent this problem with one of two methods: - Don't log silly/uninterresting traffic (e.g. echo-requests), which is not an option in most cases. - Use NetFilter with the limit module, so that only the first xxx (default 5) packets per hour get logged. Works beautifully. Greetings olli On Wed, 13 Dec 2000, Oliver Hensel wrote:
Hi.
I think you have it backwards here: Firewalls should _always_ be configured as default DENY (or DROP with NetFilter), then open up those you really need and want.
Concerning ICMP, here is what I do with most of the firewalls I configured:
Outbound: - echo-request (ping)
Inbound: - echo-reply (pong) - fragmentation-needed (for pmtu-discovery) - source-quench (router is overloaded) - time-exceeded - parameter-problem
Hope that helps Greetings olli
On Tue, 12 Dec 2000 jjohnson@penguincomputing.com wrote:
I hope you are just blocking ping and *not* icmp. Blocking icmp will break alot of things. It will also break path-mtu discovery. In all honesty, blocking ping does no good for you. If somebody is ping flooding you, your firewall still has to deal with the packets, which if its alot of pings will increase the load on your firewall(obviously dependent on your firewalls hardware). In order to not break network services you should go through and only block the icmp traffic you don't need. (I'll post of list of such traffic in a while)
-miah
On Tue, Dec 12, 2000 at 01:36:58PM +0100, Raffael Arthur Marty wrote:
I block all pings to my mail/dns-server at the firewall. Now in my fw-logs I found that everytime I get a mail from a certain domain, I have two ping-entries in the logfiles. I found that it is the DNS-Server of the sender which is pinging me.
1. Why does the other DNS-Server ping me? (And send the mail after 2 failed attempts) 2. Should I allow ping to the mail/dns server? What implications would that have?
Thanks
Raffy
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--
--------------------------------------
Oliver Hensel
On Wed, Dec 13, 2000 at 11:27:22AM +0100, Oliver Hensel wrote:
Hi.
I think you have it backwards here: Firewalls should _always_ be configured as default DENY (or DROP with NetFilter), then open up those you really need and want.
Concerning ICMP, here is what I do with most of the firewalls I configured:
Outbound: - echo-request (ping)
Inbound: - echo-reply (pong) - fragmentation-needed (for pmtu-discovery) - source-quench (router is overloaded) - time-exceeded - parameter-problem
In addition I always accept destination-unreachable. cu, Hans Peter
On Wed, Dec 13, 2000 at 11:27 +0100, Oliver Hensel wrote:
Concerning ICMP, here is what I do with most of the firewalls I configured:
Outbound: - echo-request (ping)
Inbound: - echo-reply (pong) - fragmentation-needed (for pmtu-discovery) - source-quench (router is overloaded) - time-exceeded - parameter-problem
No "net/host/port unreachable"? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Hi. On Wed, 13 Dec 2000, Gerhard Sittig wrote:
On Wed, Dec 13, 2000 at 11:27 +0100, Oliver Hensel wrote:
Concerning ICMP, here is what I do with most of the firewalls I configured:
Outbound: - echo-request (ping)
Inbound: - echo-reply (pong) - fragmentation-needed (for pmtu-discovery) - source-quench (router is overloaded) - time-exceeded - parameter-problem
No "net/host/port unreachable"?
Sigh, I forgot those (list was from top of my head, sorry).
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
Greetings
olli
--
--------------------------------------
Oliver Hensel
participants (5)
-
Gerhard Sittig -
Hans Peter Wiedau -
jjohnson@penguincomputing.com -
Oliver Hensel -
Raffael Arthur Marty