Re: [suse-security] IPTables
Be careful! it's a REALLY BAD IDEA to block all the ICMP traffic!!! You MUST allow the traffic for destination-unreachable, port- unreachable, fragmentation-needed, time-exceeded, etc... Look al http://people.unix-fu.org:8080/andreasson/iptables- tutorial/rc.firewall.txt for an example... And the rule it's iptables -I INPUT -i eth0 -p icmp -s 0/0 --icmp-type 0 -j DENY <hubasc0 ----- Original Message ----- From: "Arthur H. Johnson II" <arthur@linuxbox.nu> Date: Tuesday, November 27, 2001 11:55 am Subject: Re: [suse-security] IPTables
Try "iptables -I INPUT -i eth0 -p icmp -j DENY".
Arthur H. Johnson II arthur@linuxbox.nu The Linux Box http://www.linuxbox.nu
On Tue, 27 Nov 2001 BLeonhardt@analytek.de wrote:
HI,
I'm very new with Firewalling and have read some HOWTOs ... not the whole IPTABLES or NAT Howto ... haven't much time at the moment.
My Question is quiet simple :
How do I setup a rule, that specify that the localhost ( linux- box ) cannot be pinged from outside ??? And ... how can I log all connection tried from outside ???
I've setup a "simple" isdn-router and a quiet simple firewall ... nearly everything is allowed, yet ... but this will change in some days/weeks :-)
Mit freundlichen Grüßen Bruno Leonhardt
CLP Domino R5 Systemadministrator
________________________________________________________________________ ________________________________>
AnalyTek Systemhaus Hospitalstr. 2a
D-65589 Hadamar
Tel.: 06433/81403-15 Fax : 06433/81403-40
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
No. No you must not. I have several machines blocking all ICMP, they work as servers and clients just fine. It's not the most polite thing to do, but then most people no longer run identd either. -Kurt ----- Original Message ----- From: "Mauricio Latorre" <mlatorre@novared.cl>
Be careful! it's a REALLY BAD IDEA to block all the ICMP traffic!!! You MUST allow the traffic for destination-unreachable, port- unreachable, fragmentation-needed, time-exceeded, etc...
On Wed, Nov 28, 2001 at 06:17:27PM -0300, Kurt Seifried wrote:
No. No you must not. I have several machines blocking all ICMP, they work as servers and clients just fine. It's not the most polite thing to do, but then most people no longer run identd either.
-Kurt ----- Original Message ----- From: "Mauricio Latorre" <mlatorre@novared.cl>
Be careful! it's a REALLY BAD IDEA to block all the ICMP traffic!!! You MUST allow the traffic for destination-unreachable, port- unreachable, fragmentation-needed, time-exceeded, etc...
Ok, more in detail. If you know exactly, what is going on in your local network, you can block all icmp messages. But I prefer allowing icmp type 3 messages on local networks at minimum. If we are speaking of a gateway to other networks, i.e. the internet, you should at minimumg allow icmp type 3/code 4 messages (fragmentation needed but don't fragmentation bit set). A lot of firewalls outside are filtering this type of message, causing problems on path mtu discovery, especially in germany for ADSL users. wob -- <wob@swobspace.de> * http://www.swobspace.de * Linux is like a Wigwam: no Windows, no Gates, Apache inside. *
participants (3)
-
Kurt Seifried -
Mauricio Latorre -
Wolfgang Barth