Re: Unable to block ICMP

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ronald <ronald645@gmail.com>
To: Dean Anderson <dean@av8.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Unable to block ICMP
Date: Mon, 16 Apr 2007 07:30:14 +0200	[thread overview]
Message-ID: <462309E6.60407@gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.44.0704151606090.16569-100000@citation2.av8.net>

Dean Anderson schreef:
> On Sun, 15 Apr 2007, Ronald wrote:
>
>   
>> Well, what I actually wanted (which I probably explained wrong) is that 
>> my ports that are not in use (closed) are being invisible (no ICMP 
>> echo). That better?
>>     
>
> ICMP echo is not a per-port operation.  I don't know what the site you
> quote means by 'closed'.  Also, blocking all ICMP is never a really good
> idea: (recently updated)
>
> http://www.av8.net/ICMPTypes.txt
>
> I agree with the other posters': that you should block TCP and UDP
> connections to all ports by default, and open only those that you trust
> are exposable to the world, or better, just to whomever you have to
> expose them to.
>
> I suggest searching for instructions on how to do linux firewalls, and
> following them, rather than trying to roll your own rules by trial and
> error.
>
> 		--Dean
>
>   
That is correctly my setup now, but some applications like skype require 
to have everything opened above 1024.
Furthermore, this setup would be really easy. I only block what I don't 
want and allow everything else, closed ports are being shown as stealth.
Once an application is started it will open a port and I don't have to 
reconfigure my firewall. I have this in Windows, like this (with Comodo):

- Block incoming traffic, with destination port 135,445,etc etc
- Block outgoing icmp traffic
- Allow all (the rest)

This is the most easy way, all applications just work without 
reconfiguring the firewall. And closed ports are stealth. But since you 
guys say so, I'll keep it this way (Drop all accept some)

                                                                         
                                                            Thanks

next prev parent reply	other threads:[~2007-04-16  5:30 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-04-15 15:13 Unable to block ICMP Ronald
2007-04-15 15:16 ` Thomas d'Otreppe
     [not found]   ` <46224EFE.6060409@gmail.com>
2007-04-15 16:14     ` Thomas d'Otreppe
2007-04-15 17:10       ` Ronald
2007-04-15 18:14         ` Rob Sterenborg
2007-04-15 20:29         ` Dean Anderson
2007-04-16  5:30           ` Ronald [this message]
2007-04-17  9:46         ` Marc Haber
2007-04-17 15:12           ` Cedric Blancher
2007-04-15 22:01 ` Michael Hissler
2007-04-16 16:53   ` Ronald
2007-04-17  9:20     ` Michael Hissler
2007-04-19  9:23       ` Ronald

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=462309E6.60407@gmail.com \
    --to=ronald645@gmail.com \
    --cc=dean@av8.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.