Re: RELATED ICMP packets of type 3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le vendredi 11 février 2005 à 17:57 +0300, Mikhail Zotov a écrit :
> As far as I understand, it is safe to ACCEPT incoming
> packets of this sort.

As far as they're RELATED, you can assume theses packets to be
legitimate ones. So, yes it is safe to accept them. It is also necessary
to accept them if you want your IP stack to detect errors and be
functionnal. As an example, if you drop Fragmentation Needed packets
(type 3, code 4), you'll break PMTU Discovery...

> Is it safe to allow _outgoing_ packets of this kind?

For the same reason, yes, and for the sake of the Internet, do it. I'm
personnaly sick of theses dummy firewalls/admin who can't get ICMP
filtered correctly and break things, so you have to find workarounds all
the time. As an example, see why you have to adjust TCPMSS on PPPoE DSL
lines...

> Can an attacker make my machine generate such packets
> in order to obtain information about it?  (All new
> incoming packets are just DROPped.)

If NEW packets are droped, then IP packets are not evaluated, then you
most certainly won't have ICMP errors sent back...

Netfilter gives you a mecanism to identify legitimate ICMP errors using
conntrack. If you trust Netfilter conntrack, use it.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux