[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Firewalls and port scanners
Phew, I think I got that one right (I ACCEPT all icmp stuff. My internet
connection won't work without it anyways...)
Craig Andrews
craig@fishbot.org.uk
- - - - - - - - - - - - - - - - - -
Life would be so much easier if we
could just look at the source code.
- - - - - - - - - - - - - - - - - -
On Mon, 2 Oct 2000, Stephen J. Turnbull wrote:
> >>>>> "Chris" == Chris J/#6 <sixie [at] nccnet.co.uk> writes:
>
> Chris> Some people argue its good to block ICMP...I
> Chris> disagree.../some/ ICMP stuff maybe (eg, echo-request) but
> Chris> it depends on your paranoia. I'd rather have all ICMP
> Chris> control packets come through to my box personally. I think
> Chris> networking folk are split down the middle on this one.
>
> Not likely. No ICMP, you're not a conforming internet host. See RFC
> 1122.
>
> Period.
>
> And you're just screwing yourself.
>
> The reason networking people are split on this is that most
> organizations don't use firewalls only to protect their systems from
> outsiders; they use them to control usage by insiders as well. If you
> don't really want your Windose boxes on the net anyway, then you can
> deny ICMP to them at the firewall. This has the advantage of making
> the proxy you've so thoughtfully provided more reliable than direct
> connections, etc.
>
> Doing this in a compliant way is quite difficult (harder than it
> should be, we can hope IPv6 will address these issues). So you really
> shouldn't deny ICMP at all unless you know what you're doing, even for
> a host that is not supposed to have any servers exposed.
>
> --
> University of Tsukuba Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
> Institute of Policy and Planning Sciences Tel/fax: +81 (298) 53-5091
> _________________ _________________ _________________ _________________
> What are those straight lines for? "XEmacs rules."
> ---------------------------------------------------------------------
> Sheffield Linux User's Group - http://www.sheflug.co.uk
> To unsubscribe from this list send mail to
> - <sheflug-request [at] vuw.ac.nz> - with the word
> "unsubscribe" in the body of the message.
>
> GNU the choice of a complete generation.
>
>
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.