On Dec 21, 2005 at 2108 -0500, Chris Brenton appeared and said: > On Thu, 2005-12-22 at 01:29 +0100, René Pfeiffer wrote: > > > > This is true. However you need some inbound ICMP in order to support > > things like Path MTU discovery. > > As mentioned, the only modern OS I'm aware of that uses straight ICMP > for MTU path is 3-4 year old AIX boxes. The sane way to do this is to > set Don't Fragment (DF) in the IP header and watch for returning type 3 > code 4's. Yes, you are right. We have some of these old AIX boxes that do exactly this kind of ICMP behaviour and some of our servers have to talk to them. That's why I used the conservative approach and allowing more ICMP message types. > I've run the following rules for about four years now on numerous > firewalls I maintain: > iptables -A FORWARD -p icmp -f -j LOG --log-prefix " ICMPFRAG " > iptables -A FORWARD -p icmp -f -j REJECT --reject-with > icmp-host-unreachable > > In short, the rules look for fragmented ICMP datagrams. I've seen > exactly zero legitimate packets get picked up by this rule. Every time > its triggered its been because of an attack. That's a good idea. You can also use the packet counters to see if you have rules that are used and if certain packets appear at your perimeter. Best, René. -- )\._.,--....,'``. Let GNU/Linux work for you while you take a nap. /, _.. \ _\ (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/ `._.-(,_..'--(,_..'`-.;.' - System administration + Consulting + Teaching -
Attachment:
pgp6HoPmLkYrZ.pgp
Description: PGP signature
