MaD dUCK started typing into the keyboard and wrote:
mh. icmp messages are vital to most traffic on the network and they cannot really be used for hacking. of course, icmp floods (i.e. ping of death etc.) are based on them, but your system should be immune. anyway, destination-unreachable for instance is what you get back when you point netscape to http://i.dont.exist.com. it's a very low-level protocol, called the internet (protocol) control message protocol, so it is used at a level far below tcp/udp to handle control messages.
i don't know where you firewall is setup. i assume you are using ipchains to configure it.
No I am using SuSEfirewall (which is basicly creating the ipchains rules based on the info I provide in the rc.firewall.config (AFAIK)
so check /etc/rc.d/init.d/ipchains, /etc/ipchains*, and /etc/sysconfig/ipchains for lines similar to the ones below. let me know when you find a file that lists rules with or without the 'ipchains' in the beginning of the line.
Well attach is list of the output of "SuSEfirewall" run as /sbin/SuSEfirewall status which I am sure is not what you are looking for -- Togan Muftuoglu toganm@turk.net ps nosig is ok ? Chain input (policy DENY: 43 packets, 3166 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 603 112K ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 * 213.153.146.12 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 * 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 * 0.0.0.0/0 127.0.0.0/8 n/a 0 0 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 0 -> * 43 2516 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 3 -> * 0 0 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 11 -> * 0 0 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 12 -> * 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 25 0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 25 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 53 0 0 ACCEPT tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 53 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 22 0 0 ACCEPT tcp ------ 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 22 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 22 0 0 ACCEPT tcp ------ 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 22 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 53 0 0 ACCEPT tcp ------ 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 53 0 0 ACCEPT tcp -y--l- 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 53 0 0 ACCEPT tcp ------ 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 53 0 0 REJECT tcp -y---- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 113 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 22 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 22 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 25 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 25 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 37 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 37 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 80 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 80 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 110 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 110 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 111 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 111 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 113 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 113 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 443 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 443 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 444 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 444 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 515 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 515 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 1023 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 1023 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 2049 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 2049 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 4557 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 4557 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 4559 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 4559 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 6000 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 6000 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 6711 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 6711 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 7101 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 7101 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 10000 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 10000 1020 661K ACCEPT tcp !y---- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 600:65535 0 0 ACCEPT tcp !y---- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 20 0 0 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 53 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 514 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 514 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 37 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 37 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.1 213.153.146.12 * -> 4000 0 0 ACCEPT udp ------ 0xFF 0x00 * 127.0.0.2 213.153.146.12 * -> 4000 37 6890 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 1024 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 37 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 111 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 1020 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 1024 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 2049 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 10000 7 883 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 213.153.146.12 * -> 1024:65535 0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 255.255.255.255 n/a 0 0 DENY all ------ 0xFF 0x00 * 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 !213.153.146.12 n/a 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 4 -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 8 -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 11 -> * 0 0 DENY tcp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 135:139 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 DENY udp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 135:139 0 0 DENY udp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a Chain forward (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 0 0 DENY tcp -y--l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a Chain output (policy ACCEPT: 2711 packets, 224776 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 603 112K ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a 0 0 DENY icmp ----l- 0xFF 0x00 * 213.153.146.12 0.0.0.0/0 11 -> * 3 436 DENY icmp ----l- 0xFF 0x00 * 213.153.146.12 0.0.0.0/0 3 -> * 0 0 ACCEPT icmp ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 ACCEPT tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 22 -> * 0 0 ACCEPT tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 22 0 0 ACCEPT udp ------ 0x01 0x14 * 0.0.0.0/0 0.0.0.0/0 * -> 514 0 0 ACCEPT udp ------ 0x01 0x14 * 0.0.0.0/0 0.0.0.0/0 * -> 162 0 0 ACCEPT tcp ------ 0x01 0x08 * 0.0.0.0/0 0.0.0.0/0 20 -> * 0 0 ACCEPT tcp ------ 0x01 0x08 * 0.0.0.0/0 0.0.0.0/0 80 -> *