Re: Questions about ICMP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rick Stevens wrote:

On Wed, 2007-12-05 at 16:00 -0800, Daniel B. Thurman wrote:

Craig White wrote:


Sent: Wednesday, December 05, 2007 3:33 PM
To: For users of Fedora
Subject: Re: Questions about ICMP


On Wed, 2007-12-05 at 15:27 -0800, Daniel B. Thurman wrote:

Should ICMP packets be allowed both over the
Internet or should it be allowed to pass only in
the local networks?

I have a firewall appliance and trying to make sure
that I am being secured properly.

----
disabling icmp echo requests is a great feature for the ultra-paranoid

Craig

--

So... am I to read this as it is a good idea to disable all icmp
requests?  I get a LOT of ICMP requests from the Internet probing
at my ports, which are disabled.  This is a good idea?


There is no reason for people to ICMP you unless they're just snooping
to see what IPs are in use--and that can indicate an oncoming hack
attempt.  It is a very good idea to turn it off.


Bah humbug.
If I want to know whether you're running an email server, I'll just open a connexion. A failure tells me all I need to know. icmp (other than those necessary for the transaction) has nothing to do with it. 

The _only_ risks I know with icmp are
1. DoS by overloading your connexion.
Can equally well be done with other IP traffic such as UDP or TCP.
Can't usefully be blocked by you anyway, by the time the traffic reaches your gateway the harm is done. Has to be blocked at your ISP or further out. 2. Actually breaking your kernel. It has happened (teardrop I think did that some years ago). I'm not going to worry about that one, there are many greater risks to being on the 'net. 



I do...at least at my router/firewall.  The Internet doesn't need to
know I'm there.  Internally I leave it enabled so I can verify my
machines are alive (that and SNMP stuff).  So if you're on my private
network, pings are OK.  I ignore attempts from the outside (in iptables
parlance, "-j DROP").
My requirements are a little different, I run some of my own Internet services and need to connect to other machines I control.
At my firewall I log and drop unwelcome traffic, I rate-limit some traffic (it's hard to enumerate accounts and passwords at five connexions per hour), and log and reject unwanted traffic within one of my LANs. 



--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux