From: Ronald <ronald645@gmail.com>
To: Michael Hissler <mhis38@freenet.de>
Cc: netfilter@lists.netfilter.org
Subject: Re: Unable to block ICMP
Date: Thu, 19 Apr 2007 11:23:39 +0200 [thread overview]
Message-ID: <4627351B.8010205@gmail.com> (raw)
In-Reply-To: <46249164.1020902@freenet.de>
Michael Hissler schreef:
> Ronald wrote:
>
> [...]
>
>
>> That is weird, if you block ICMP outgoing in comodo, all the closed
>> ports are shown as stealthed. This is really confusing ...
>>
>
> What is comodo?
>
> Which scan test are you using? If it's a UDP scan this is not weird. If
> a closed port (i.e. a port no service is listening on) is contacted, an
> ICMP port unreachable message is sent back. By blocking this ICMP
> message (or blocking all outgoing ICMP traffic), you get the same result
> as if you blocked the incoming packet: the sender doesn't get a response
> and so the port is 'stealthed'.
> If it's a TCP scan, the kernel sends back a TCP Reset. In this case
> blocking ICMP should have no effect (in this case: yes, it's weird).
>
>
> BTW: If you block traffic to ports services are listening on, but accept
> traffic to closed ports, someone who scans your IP knows:
>
> 1. You are there. He gets ICMP port unreachable messages or TCP Reset
> for the closed but unblocked (not 'stealthed') ports.
> 2. He knows which ports you are running services on (-> the ports he
> doesn't get the ICMP messages or TCP Reset).
>
> This may not be what you want.
>
>
> You wrote that skype requires to have everything open above port 1024.
> This can't be true!
> Skype works perfectly if you accept all outgoing traffic and
>
> a) configure skype to use a certain port and accept incoming traffic to
> this port,
>
> or (better)
>
> b) drop *all* incoming traffic and use connection tracking. This lets
> pass all incoming packets belonging to a connection initialized by your
> computer:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> (you can leave out the ',RELATED' but then you'll run into trouble with
> e.g. FTP and ICMP error messages)
>
>
>
> michael
>
>
>
>
>
>
>
THANKS! That:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Was just what I was looking for :D . I recompiled my kernel with support
for it and it works amazing :D .
Way to go :)
Ronald
prev parent reply other threads:[~2007-04-19 9:23 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-15 15:13 Unable to block ICMP Ronald
2007-04-15 15:16 ` Thomas d'Otreppe
[not found] ` <46224EFE.6060409@gmail.com>
2007-04-15 16:14 ` Thomas d'Otreppe
2007-04-15 17:10 ` Ronald
2007-04-15 18:14 ` Rob Sterenborg
2007-04-15 20:29 ` Dean Anderson
2007-04-16 5:30 ` Ronald
2007-04-17 9:46 ` Marc Haber
2007-04-17 15:12 ` Cedric Blancher
2007-04-15 22:01 ` Michael Hissler
2007-04-16 16:53 ` Ronald
2007-04-17 9:20 ` Michael Hissler
2007-04-19 9:23 ` Ronald [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4627351B.8010205@gmail.com \
--to=ronald645@gmail.com \
--cc=mhis38@freenet.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.