Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] PING when mail arrives
  • From: Oliver Hensel <oliver.hensel@xxxxxxx>
  • Date: Wed, 13 Dec 2000 11:27:22 +0100 (CET)
  • Message-id: <Pine.LNX.4.21.0012131122450.20529-100000@xxxxxxxxxxxxxxxx>
Hi.

I think you have it backwards here:
Firewalls should _always_ be configured as default DENY (or DROP with
NetFilter), then open up those you really need and want.

Concerning ICMP, here is what I do with most of the firewalls I
configured:

Outbound:
- echo-request (ping)

Inbound:
- echo-reply (pong)
- fragmentation-needed (for pmtu-discovery)
- source-quench (router is overloaded)
- time-exceeded
- parameter-problem


Hope that helps
Greetings
olli

On Tue, 12 Dec 2000 jjohnson@xxxxxxxxxxxxxxxxxxxx wrote:

> I hope you are just blocking ping and *not* icmp. Blocking icmp will
> break alot of things. It will also break path-mtu discovery. In all
> honesty, blocking ping does no good for you. If somebody is ping
> flooding you, your firewall still has to deal with the packets, which
> if its alot of pings will increase the load on your firewall(obviously
> dependent on your firewalls hardware). In order to not break network
> services you should go through and only block the icmp traffic you
> don't need. (I'll post of list of such traffic in a while)
>
> -miah
>
> On Tue, Dec 12, 2000 at 01:36:58PM +0100, Raffael Arthur Marty wrote:
> > I block all pings to my mail/dns-server at the firewall.
> > Now in my fw-logs I found that everytime I get a mail from a certain
> > domain, I have two ping-entries in the logfiles. I found that it is the
> > DNS-Server of the sender which is pinging me.
> >
> > 1. Why does the other DNS-Server ping me? (And send the mail after 2
> > failed attempts)
> > 2. Should I allow ping to the mail/dns server? What implications would
> > that have?
> >
> > Thanks
> >
> > Raffy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
>
>
>

--
--------------------------------------
Oliver Hensel <oliver.hensel@xxxxxxx>
http://www.ohensel.de/

Training + Consulting
Unix - Linux - Firewalls - Security
--------------------------------------


< Previous Next >
References