From: Alexander Samad <alex@samad.com.au>
To: netfilter@lists.netfilter.org
Subject: Re: ICMP types
Date: Sun, 1 May 2005 08:35:38 +1000 [thread overview]
Message-ID: <20050430223538.GC12091@samad.com.au> (raw)
In-Reply-To: <427378BC.6070804@danbbs.dk>
[-- Attachment #1: Type: text/plain, Size: 4253 bytes --]
On Sat, Apr 30, 2005 at 02:23:24PM +0200, Mogens Valentin wrote:
> Ken Hilliard wrote:
> > In reading different firewall scripts/tutorials many of them recommend
> > filtering ICMP packets. I added ICMP filter in my firewall but was
> > unsure of the value as well. What is the consensus view out there?
>
> Not wanting to comment what the consensus are, but some types are
> generally considered nessesary to filter/allow.
>
> But its really not just a matter of filtering this-or-that, also what's
> set in /proc . There's a lot to read...
> A few ideas:
>
> Filtering ICMP:
>
> ### Define icmp_packets chain:
> $IPT -F icmp_packets
> $IPT -X icmp_packets
> $IPT -N icmp_packets
> $IPT -A icmp_packets -p icmp --icmp-type echo-request -j ACCEPT
> $IPT -A icmp_packets -p icmp --icmp-type echo-reply -j ACCEPT
> $IPT -A icmp_packets -p icmp --icmp-type destination-unreachable -j
> ACCEPTlog
> $IPT -A icmp_packets -p icmp --icmp-type network-unreachable -j
> ACCEPTlog
> $IPT -A icmp_packets -p icmp --icmp-type network-prohibited -j
> ACCEPTlog
> $IPT -A icmp_packets -p icmp --icmp-type source-quench -j ACCEPTlog
> $IPT -A icmp_packets -p icmp --icmp-type parameter-problem -j ACCEPTlog
> $IPT -A icmp_packets -p icmp --icmp-type time-exceeded -j ACCEPTlog
> $IPT -A icmp_packets -p icmp --icmp-type fragmentation-needed -j
> ACCEPTlog
> #$IPT -A icmp_packets -p icmp -j ACCEPTlog
> $IPT -A icmp_packets -p icmp -j LOG
why not use
-m limit --limit 1/s --limit-burst 5
as well to limit them and then drop the rest!
>
>
>
> A few /proc settings:
>
> ### /proc settings:
> setup_procfs() {
>
> # Disable forwarding while setting up rules (needed for
> masquerading):
> # Note: this is now done in forwarding.def
> #echo "0" >/proc/sys/net/ipv4/ip_forward
>
> # Initially, disable ICMP echo-requests altogether (normally only
> used if DoSed):
> # Note: this is now done in forwarding.def
> #echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all
>
> # Disable ICMP echo-request to broadcast addresses (Smurf amplifier):
> echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # Enable syn-cookies (prevent syn-flood attacks):
> echo "1" >/proc/sys/net/ipv4/tcp_syncookies
>
> # Reduce number of possible SYN Floods:
> echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog
>
> # Enable defrag error protection:
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> # Enable time-wait assassination hazards in tcp (RFC 1337):
> echo "1" >/proc/sys/net/ipv4/tcp_rfc1337
>
> # Prevent remote digging of OS-type and uptime (RFC1323):
> #echo "1" >/proc/sys/net/ipv4/tcp_timestamps # enable
> timestamps
> echo "0" >/proc/sys/net/ipv4/tcp_timestamps # disable
> timestamps
>
> # Disable RFC2018 TCP Selective Acknowledgements:
> echo 0 > /proc/sys/net/ipv4/tcp_sack
>
>
> # Sourcerouting and spoofing:
> for i in /proc/sys/net/ipv4/conf/*; do
> # Drop all source-routed packets:
> echo "0" >$i/accept_source_route
>
> # Deactivate normal ICMP redirect accept/send:
> echo "0" >$i/accept_redirects
> echo "0" >$i/send_redirects
>
> # Activate secure ICMP redirects (send only?) (on by
> default):
> echo "1" >$i/secure_redirects
>
> # Enable ingress + egress source-address verification
> (prevent spoofing):
> #echo "0" >$i/rp_filter # disable
> echo "1" >$i/rp_filter # enable
> done
>
> # Log spoofed, source routed and redirect packets:
> #echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
> echo 0 >/proc/sys/net/ipv4/conf/all/log_martians
>
> }
>
> --
> Kind regards,
> Mogens Valentin
>
>
> Q: How does a hacker fix a function which doesn't
> work for all of the elements in its domain?
> A: He changes the domain.
> -- unknown
>
>
>
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2005-04-30 22:35 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-30 9:53 ICMP types varun_saa
2005-04-30 10:28 ` Sertys
2005-04-29 19:49 ` Ken Hilliard
2005-04-30 12:23 ` Mogens Valentin
2005-04-30 22:35 ` Alexander Samad [this message]
2005-04-30 23:40 ` Mogens Valentin
2005-04-30 22:55 ` Taylor, Grant
2005-04-30 23:22 ` R. DuFresne
2005-04-30 23:36 ` Taylor, Grant
2005-04-30 23:53 ` R. DuFresne
2005-05-01 3:29 ` Dean Anderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050430223538.GC12091@samad.com.au \
--to=alex@samad.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.