Re: [Sheflug] Firewalls and port scanners

["Stephen J. Turnbull" <nospam [at] sk.tsukuba.ac.jp>]

>>>>> "Chris" == Chris J/#6 <sixie [at] nccnet.co.uk> writes:

    Chris> Some people argue its good to block ICMP...I
    Chris> disagree.../some/ ICMP stuff maybe (eg, echo-request) but
    Chris> it depends on your paranoia. I'd rather have all ICMP
    Chris> control packets come through to my box personally. I think
    Chris> networking folk are split down the middle on this one.

Not likely.  No ICMP, you're not a conforming internet host.  See RFC
1122.

Period.

And you're just screwing yourself.

The reason networking people are split on this is that most
organizations don't use firewalls only to protect their systems from
outsiders; they use them to control usage by insiders as well.  If you
don't really want your Windose boxes on the net anyway, then you can
deny ICMP to them at the firewall.  This has the advantage of making
the proxy you've so thoughtfully provided more reliable than direct
connections, etc.

Doing this in a compliant way is quite difficult (harder than it
should be, we can hope IPv6 will address these issues).  So you really
shouldn't deny ICMP at all unless you know what you're doing, even for
a host that is not supposed to have any servers exposed.

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.