[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Firewalls and port scanners



Phew, I think I got that one right (I ACCEPT all icmp stuff. My internet
connection won't work without it anyways...)

Craig Andrews
craig@fishbot.org.uk

- - - - - - - - - - - - - - - - - -
Life would be so much easier if we 
could just look at the source code.
- - - - - - - - - - - - - - - - - -

On Mon, 2 Oct 2000, Stephen J. Turnbull wrote:

> >>>>> "Chris" == Chris J/#6 <sixie [at] nccnet.co.uk> writes:
> 
>     Chris> Some people argue its good to block ICMP...I
>     Chris> disagree.../some/ ICMP stuff maybe (eg, echo-request) but
>     Chris> it depends on your paranoia. I'd rather have all ICMP
>     Chris> control packets come through to my box personally. I think
>     Chris> networking folk are split down the middle on this one.
> 
> Not likely.  No ICMP, you're not a conforming internet host.  See RFC
> 1122.
> 
> Period.
> 
> And you're just screwing yourself.
> 
> The reason networking people are split on this is that most
> organizations don't use firewalls only to protect their systems from
> outsiders; they use them to control usage by insiders as well.  If you
> don't really want your Windose boxes on the net anyway, then you can
> deny ICMP to them at the firewall.  This has the advantage of making
> the proxy you've so thoughtfully provided more reliable than direct
> connections, etc.
> 
> Doing this in a compliant way is quite difficult (harder than it
> should be, we can hope IPv6 will address these issues).  So you really
> shouldn't deny ICMP at all unless you know what you're doing, even for
> a host that is not supposed to have any servers exposed.
> 
> -- 
> University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
> Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
> _________________  _________________  _________________  _________________
> What are those straight lines for?  "XEmacs rules."
> ---------------------------------------------------------------------
> Sheffield Linux User's Group - http://www.sheflug.co.uk
> To unsubscribe from this list send mail to
> - <sheflug-request [at] vuw.ac.nz> - with the word 
>  "unsubscribe" in the body of the message. 
> 
>   GNU the choice of a complete generation.
> 
> 

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.