From: Ronald <ronald645@gmail.com>
To: Michael Hissler <mhis38@freenet.de>
Cc: netfilter@lists.netfilter.org
Subject: Re: Unable to block ICMP
Date: Thu, 19 Apr 2007 11:23:39 +0200 [thread overview]
Message-ID: <4627351B.8010205@gmail.com> (raw)
In-Reply-To: <46249164.1020902@freenet.de>
Michael Hissler schreef:
> Ronald wrote:
>
> [...]
>
>
>> That is weird, if you block ICMP outgoing in comodo, all the closed
>> ports are shown as stealthed. This is really confusing ...
>>
>
> What is comodo?
>
> Which scan test are you using? If it's a UDP scan this is not weird. If
> a closed port (i.e. a port no service is listening on) is contacted, an
> ICMP port unreachable message is sent back. By blocking this ICMP
> message (or blocking all outgoing ICMP traffic), you get the same result
> as if you blocked the incoming packet: the sender doesn't get a response
> and so the port is 'stealthed'.
> If it's a TCP scan, the kernel sends back a TCP Reset. In this case
> blocking ICMP should have no effect (in this case: yes, it's weird).
>
>
> BTW: If you block traffic to ports services are listening on, but accept
> traffic to closed ports, someone who scans your IP knows:
>
> 1. You are there. He gets ICMP port unreachable messages or TCP Reset
> for the closed but unblocked (not 'stealthed') ports.
> 2. He knows which ports you are running services on (-> the ports he
> doesn't get the ICMP messages or TCP Reset).
>
> This may not be what you want.
>
>
> You wrote that skype requires to have everything open above port 1024.
> This can't be true!
> Skype works perfectly if you accept all outgoing traffic and
>
> a) configure skype to use a certain port and accept incoming traffic to
> this port,
>
> or (better)
>
> b) drop *all* incoming traffic and use connection tracking. This lets
> pass all incoming packets belonging to a connection initialized by your
> computer:
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> (you can leave out the ',RELATED' but then you'll run into trouble with
> e.g. FTP and ICMP error messages)
>
>
>
> michael
>
>
>
>
>
>
>
THANKS! That:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Was just what I was looking for :D . I recompiled my kernel with support
for it and it works amazing :D .
Way to go :)
Ronald
prev parent reply other threads:[~2007-04-19 9:23 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-15 15:13 Unable to block ICMP Ronald
2007-04-15 15:16 ` Thomas d'Otreppe
[not found] ` <46224EFE.6060409@gmail.com>
2007-04-15 16:14 ` Thomas d'Otreppe
2007-04-15 17:10 ` Ronald
2007-04-15 18:14 ` Rob Sterenborg
2007-04-15 20:29 ` Dean Anderson
2007-04-16 5:30 ` Ronald
2007-04-17 9:46 ` Marc Haber
2007-04-17 15:12 ` Cedric Blancher
2007-04-15 22:01 ` Michael Hissler
2007-04-16 16:53 ` Ronald
2007-04-17 9:20 ` Michael Hissler
2007-04-19 9:23 ` Ronald [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4627351B.8010205@gmail.com \
--to=ronald645@gmail.com \
--cc=mhis38@freenet.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox