Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] IPChains
  • From: Roman Drahtmueller <draht@xxxxxxxxxxxxxxx>
  • Date: Sat, 27 May 2000 01:57:03 +0200 (MEST)
  • Message-id: <Pine.LNX.4.21.0005270126580.27006-100000@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

> > > i just wanted to say that you should keep in mind that there
> > > are different implementations for ping/traceroute.
> > > windows clients are using icmp packets while linux is using

Keep in mind that ICMP packets other than the request types aren't ever to
be answered by an ICMP packet. A router sending ICMP_TIME_EXCEEDED for
such an ICMP packet violates the standards (loops are the result).

> > > udp packets on port 33434+ (afair).
> > just by traceroute. ping uses under Linux also icmp.
> AFAIK ping always uses ICMP. traceroute uses UDP (Ports cited
> above) by default but can be told to use ICMP, too. See "man 8
> traceroute", Options "-p" and "-I", for more info.
> And to make it security relevant, again (that's what we're here
> for after all): ping can act as a tunnel transporting data from
> and to the outside *if* you have a relay station inside your LAN.
> That's why admins sometimes decide to block pings and traceroutes
> and no user should feel any real loss about it.

This is right, but it's also a good advice _not_ to filter ICMP packets
coming through the firewall into the internal network or at least to the
hosts that can take advantage of ICMPs (notably mailservers or such).
Without these control messages long timeouts or inefficient bandwidth
usage is the result.

Example: your MTA connects to a host that is filtered behind a firewall.
If the filter doesn't send ICMPs, your MTA must wait until the first
timeout occurs, until it will connect to the next MX. This slows down the
whole process.

_ _
| Roman Drahtmüller "The best way to pay for a |
CC University of Freiburg lovely moment is to enjoy it."
| email: draht@xxxxxxxxxxxxxxx - Richard Bach |
- -

< Previous Next >
Follow Ups