Mailinglist Archive: opensuse-security (564 mails)

< Previous Next >
Re: [suse-security] ICMP filter in SuSEfirewall? (again)
Hi,

If you like a really comprehensive book, check out

Eric A. Hall: "Internet Core Protocols" (O'Rilley)

every icmp family plus subtypes plus a bunch
of tcp flags etc. is describrd there.

cheers,

chris




On Wednesday 24 January 2001 05:37, Rick Green wrote:
> On Tue, 23 Jan 2001, dprocc wrote:
> > Are these the definitions you mean?
> > #define ICMP_ECHOREPLY 0 /* Echo Reply */
> > #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */
> > #define ICMP_SOURCE_QUENCH 4 /* Source Quench */
> > #define ICMP_REDIRECT 5 /* Redirect (change route) */
> > #define ICMP_ECHO 8 /* Echo Request */
> >
> > and so forth
> >
> > I took this from the kernel source tree in:
> > /usr/data/src/linux-2.2.13.SuSE/include/net/icmp.h
>
> I've got a good description of the basic ICMP types in Ziegler's book
> "Linux Firewalls", but I haven't found a definition of the message
> sub-types. It's probably in the Comer books, by my copy is in storage at
> the moment. It's probably in an RFC, and I have all of them loaded on my
> system, but I don't know which number is the most recent index. I haven't
> had any luck fishing. (Wouldn't it be nice if the kind folks at SuSE
> included a link in that RPM called INDEX, pointing to the most recent
> index/status RFC.)
>
> 'man ipchains' mentioned getting a list via 'ipchains -h icmp', which
> returned the following, in part:
>
> destination-unreachable
> network-unreachable
> host-unreachable
> protocol-unreachable
> port-unreachable
> fragmentation-needed
> source-route-failed
> network-unknown
> host-unknown
> network-prohibited
> host-prohibited
> TOS-network-unreachable
> TOS-host-unreachable
> communication-prohibited
> host-precedence-violation
> precedence-cutoff
>
> So now I got the names, I just need the definitions!
>
>
> My understanding at this point is that ICMP destination unreachable (port
> unreachable) is essentially the difference between -j DENY and -j REJECT.
> A DENY'd packet is just dropped on the floor, while a REJECTed packet
> returns ICMP port unreachable. Somebody please tell me if I'm on the
> right track here! So I'm confused when it appears to me that SuSEfirewall
> is dropping all outgoing ICMP 3's except 'fragmentation needed' and
> 'communication prohibited'. So there would be no external difference
> between a DENY and a REJECT, right?
>
> > I just posted a similar question about these DENYs to the
> > list, so sorry about the duplication. I am very interested
> > to hear what the Destination Unreachable packets do for the
> > ISP and for attackers.
>
> A portscanner will get NO response, and will have to wait for a timeout,
> if packets are dropped, but will get an immediate ICMP destination
> unreachable if they are REJECTed. Steve Gibson, on his Shields Up! site
> (www.grc.com - publicly available portscanner) seems to think the stealth
> approach of no response is better protection. On the other hand, I'd
> rather be polite with those hosts that I'm intending to communicate with.
>
> FURTHER RESEARCH:
>
> Still trying to understand what's going on under the covers as I send
> mail, I ran tcpdump as I sent an e-mail, then viewed the resulting file
> with ethereal. I'm finding this to be a real educational tool! Ethereal
> maps out and interprets all the bits of each packet, so I'm learning
> bunches about the protocols.
> I found out that the ICMP destination unreachable was in response to my
> ISP's mail relay host attempting to connect to my ident server. This
> sounds like a reasonable behavior. But I'm not running an ident server,
> because I'd rather give out as little information as possible.
>
> I'm now thinking that it's time for me to graduate to a 2.4 kernel and
> iptables. I recently read something about 'stateful' rules in iptables,
> so I could conceivably have a default DENY for ident, yet open up a
> temporary ACCEPT for a specific IP address when I see an outgoing TCP SYN
> towards that IP address's mail (or dns) server. Kewl.
> Has anybody successfully upgraded SuSE 6.4 to kernel 2.4? Or would I be
> better off starting with a fresh SuSE 7.0 system?
>
> --
> Rick Green
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >
References