Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Gerhard Sittig <Gerhard.Sittig@xxxxxxx>
  • Date: Sat, 27 May 2000 22:18:00 +0200
  • Message-id: <20000527221800.G2305@xxxxxxxxxxxxx>
On Sat, May 27, 2000 at 18:18 +0200, Steffen Dettmer wrote:
> * Gerhard Sittig wrote on Sat, May 27, 2000 at 11:09 +0200:
> > But looking at all the ICMP packet types one should at least
> > block the redirect ones. And besides "dest unreach", "param
> > prob", "source quench" and "time exceeded" everything else
> > seems luxurious to pass through.
>
> Do you know what happens to the payload of such packets? May
> the be used like in icmp echo request packets?

I don't know (didn't care up to now). Maybe it's time to go and
fetch the appropriate RFC and have some reading ...

AFAIK the ping tunnel uses the variable length payload to contain
the data (which is usually just stuffed when you use the -s
switch). And nobody seems to care about echo requests and
replies. I'm not sure wether the above icmp packet types have
room for these things or if they just get truncated right after
the header.

> > And *if* you have to enable echo reqs and replies, you better
> > block icmp to the network and broadcast addresses (remember
> > smurf, tfn and the other DoSes?).
>
> BTW: if a firewall rejects echo request (with comm adm.
> prohibited), ordinary ping shows normal output, but of course
> even if the pinged host is down.

There's always the choice between rejection and denial. :)

BTW I'm aware of the fact that denied packets "reveal" there's
some kind of filter in between, attracting the kids like locked
doors to forbidden rooms ... But I'd rather have them run
against a wall they see than letting them go as far as they want
to _if_ they try and come at all.

> Additionally it seems to be possible to block fragmentated
> ICMPs always, since usually those packets are very small,
> ain't? (Comments?)

Any decent firewall (or even the TCP stack) should drop corrupted
and malformed packets even before the header fields are looked at
and used to base decisions upon. It's mad enough that the fw
rules act on behalf of data anyone untrusted delivers to you you
actually try to defend against.


virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.

< Previous Next >
Follow Ups