Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Sat, 27 May 2000 18:18:17 +0200
  • Message-id: <20000527181817.G2824@xxxxxxxxx>
* Gerhard Sittig wrote on Sat, May 27, 2000 at 11:09 +0200:
> But looking at all the ICMP packet types one should at least
> block the redirect ones. And besides "dest unreach", "param
> prob", "source quench" and "time exceeded" everything else seems
> luxurious to pass through.

Do you know what happens to the payload of such packets? May the
be used like in icmp echo request packets?

> And *if* you have to enable echo reqs and
> replies, you better block icmp to the network and broadcast
> addresses (remember smurf, tfn and the other DoSes?).

BTW: if a firewall rejects echo request (with comm adm.
prohibited), ordinary ping shows normal output, but of course
even if the pinged host is down. Additionally it seems to be
possible to block fragmentated ICMPs always, since usually those
packets are very small, ain't? (Comments?)

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >
Follow Ups