From: Michael Hissler <mhis38@freenet.de>
To: netfilter@lists.netfilter.org
Subject: Re: Unable to block ICMP
Date: Tue, 17 Apr 2007 11:20:36 +0200 [thread overview]
Message-ID: <46249164.1020902@freenet.de> (raw)
In-Reply-To: <4623AA24.4000002@gmail.com>
Ronald wrote:
[...]
> That is weird, if you block ICMP outgoing in comodo, all the closed
> ports are shown as stealthed. This is really confusing ...
What is comodo?
Which scan test are you using? If it's a UDP scan this is not weird. If
a closed port (i.e. a port no service is listening on) is contacted, an
ICMP port unreachable message is sent back. By blocking this ICMP
message (or blocking all outgoing ICMP traffic), you get the same result
as if you blocked the incoming packet: the sender doesn't get a response
and so the port is 'stealthed'.
If it's a TCP scan, the kernel sends back a TCP Reset. In this case
blocking ICMP should have no effect (in this case: yes, it's weird).
BTW: If you block traffic to ports services are listening on, but accept
traffic to closed ports, someone who scans your IP knows:
1. You are there. He gets ICMP port unreachable messages or TCP Reset
for the closed but unblocked (not 'stealthed') ports.
2. He knows which ports you are running services on (-> the ports he
doesn't get the ICMP messages or TCP Reset).
This may not be what you want.
You wrote that skype requires to have everything open above port 1024.
This can't be true!
Skype works perfectly if you accept all outgoing traffic and
a) configure skype to use a certain port and accept incoming traffic to
this port,
or (better)
b) drop *all* incoming traffic and use connection tracking. This lets
pass all incoming packets belonging to a connection initialized by your
computer:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
(you can leave out the ',RELATED' but then you'll run into trouble with
e.g. FTP and ICMP error messages)
michael
next prev parent reply other threads:[~2007-04-17 9:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-15 15:13 Unable to block ICMP Ronald
2007-04-15 15:16 ` Thomas d'Otreppe
[not found] ` <46224EFE.6060409@gmail.com>
2007-04-15 16:14 ` Thomas d'Otreppe
2007-04-15 17:10 ` Ronald
2007-04-15 18:14 ` Rob Sterenborg
2007-04-15 20:29 ` Dean Anderson
2007-04-16 5:30 ` Ronald
2007-04-17 9:46 ` Marc Haber
2007-04-17 15:12 ` Cedric Blancher
2007-04-15 22:01 ` Michael Hissler
2007-04-16 16:53 ` Ronald
2007-04-17 9:20 ` Michael Hissler [this message]
2007-04-19 9:23 ` Ronald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46249164.1020902@freenet.de \
--to=mhis38@freenet.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.