Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] PING when mail arrives
  • From: Oliver Hensel <oliver.hensel@xxxxxxx>
  • Date: Wed, 13 Dec 2000 11:32:10 +0100 (CET)
  • Message-id: <Pine.LNX.4.21.0012131128010.20529-100000@xxxxxxxxxxxxxxxx>
Hi.

Some additions concerning the load on your firewall:
The problem of DENY-rules is the amount of logging (an attacker can very
easily flood your packet filter with disallowed packets and thus filling
up your logs and your hard disk).
You can circumvent this problem with one of two methods:
- Don't log silly/uninterresting traffic (e.g. echo-requests), which is
not an option in most cases.
- Use NetFilter with the limit module, so that only the first xxx (default
5) packets per hour get logged. Works beautifully.

Greetings
olli


On Wed, 13 Dec 2000, Oliver Hensel wrote:

> Hi.
>
> I think you have it backwards here:
> Firewalls should _always_ be configured as default DENY (or DROP with
> NetFilter), then open up those you really need and want.
>
> Concerning ICMP, here is what I do with most of the firewalls I
> configured:
>
> Outbound:
> - echo-request (ping)
>
> Inbound:
> - echo-reply (pong)
> - fragmentation-needed (for pmtu-discovery)
> - source-quench (router is overloaded)
> - time-exceeded
> - parameter-problem
>
>
> Hope that helps
> Greetings
> olli
>
> On Tue, 12 Dec 2000 jjohnson@xxxxxxxxxxxxxxxxxxxx wrote:
>
> > I hope you are just blocking ping and *not* icmp. Blocking icmp will
> > break alot of things. It will also break path-mtu discovery. In all
> > honesty, blocking ping does no good for you. If somebody is ping
> > flooding you, your firewall still has to deal with the packets, which
> > if its alot of pings will increase the load on your firewall(obviously
> > dependent on your firewalls hardware). In order to not break network
> > services you should go through and only block the icmp traffic you
> > don't need. (I'll post of list of such traffic in a while)
> >
> > -miah
> >
> > On Tue, Dec 12, 2000 at 01:36:58PM +0100, Raffael Arthur Marty wrote:
> > > I block all pings to my mail/dns-server at the firewall.
> > > Now in my fw-logs I found that everytime I get a mail from a certain
> > > domain, I have two ping-entries in the logfiles. I found that it is the
> > > DNS-Server of the sender which is pinging me.
> > >
> > > 1. Why does the other DNS-Server ping me? (And send the mail after 2
> > > failed attempts)
> > > 2. Should I allow ping to the mail/dns server? What implications would
> > > that have?
> > >
> > > Thanks
> > >
> > > Raffy
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> >
> >
> >
> >
>
>

--
--------------------------------------
Oliver Hensel <oliver.hensel@xxxxxxx>
http://www.ohensel.de/

Training + Consulting
Unix - Linux - Firewalls - Security
--------------------------------------


< Previous Next >
References