Hi. Some additions concerning the load on your firewall: The problem of DENY-rules is the amount of logging (an attacker can very easily flood your packet filter with disallowed packets and thus filling up your logs and your hard disk). You can circumvent this problem with one of two methods: - Don't log silly/uninterresting traffic (e.g. echo-requests), which is not an option in most cases. - Use NetFilter with the limit module, so that only the first xxx (default 5) packets per hour get logged. Works beautifully. Greetings olli On Wed, 13 Dec 2000, Oliver Hensel wrote:
Hi.
I think you have it backwards here: Firewalls should _always_ be configured as default DENY (or DROP with NetFilter), then open up those you really need and want.
Concerning ICMP, here is what I do with most of the firewalls I configured:
Outbound: - echo-request (ping)
Inbound: - echo-reply (pong) - fragmentation-needed (for pmtu-discovery) - source-quench (router is overloaded) - time-exceeded - parameter-problem
Hope that helps Greetings olli
On Tue, 12 Dec 2000 jjohnson@penguincomputing.com wrote:
I hope you are just blocking ping and *not* icmp. Blocking icmp will break alot of things. It will also break path-mtu discovery. In all honesty, blocking ping does no good for you. If somebody is ping flooding you, your firewall still has to deal with the packets, which if its alot of pings will increase the load on your firewall(obviously dependent on your firewalls hardware). In order to not break network services you should go through and only block the icmp traffic you don't need. (I'll post of list of such traffic in a while)
-miah
On Tue, Dec 12, 2000 at 01:36:58PM +0100, Raffael Arthur Marty wrote:
I block all pings to my mail/dns-server at the firewall. Now in my fw-logs I found that everytime I get a mail from a certain domain, I have two ping-entries in the logfiles. I found that it is the DNS-Server of the sender which is pinging me.
1. Why does the other DNS-Server ping me? (And send the mail after 2 failed attempts) 2. Should I allow ping to the mail/dns server? What implications would that have?
Thanks
Raffy
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--
--------------------------------------
Oliver Hensel