[lug] IP Tables

karl horlen horlenkarl at yahoo.com
Sat Sep 22 16:56:40 MDT 2007


> > took a turn and it can be explored.  It helps me
> > understand this better and create a better
> firewall.
> 
> Yeah, it sure does depend. Lots of ways to do
> things. ;) 

I think we came to teh same conclusion to use
DROP.  According to your explanation, it is
entirely true that because a DROP provides no
reply, a requestor would likely keep trying.
My rationale is that the only one trying those
closed ports are going to be rogue requestors anyway.

My thought is that hackers are not likely
to keep retrying (but maybe they would) and just
move on.  If they did get a reject though, they
might just keep trying.  Probably another port.

> Well, ping is kind of handy to allow for network
> problem debugging. I
> know folks who block it, then confuse themselves
> because they try later
> to use ping as a diagnostic tool. ;) 
> 
> Also, some ICMP is needed. If you block all ICMP you
> are going to
> potentially run into problems with some tcp
> connections that use things
> like path mtu discovery and the like (which uses
> icmp). You can however
> just allow those types of ICMP and still reject
> ping. 

That's the confusion i was finding when trying to
evaluate this on the net.  It wasn't clear to me
what folks exactly were doing with the various icmp
rules.

I guess i can just set a rule to leave all generic
icmp requests open. I don't think it presents much
danger unless somebody executed a coordinated ping
attack which for me is pretty unlikely.  

I think the way the example looks as posted in this
thread, i'm NOT allowing any icmp.  which means i
either need to add a generic rule or a more specific
one for various mtus and other tcp considerations you
mentioned above.

any specifics you could share based on the example
posted in this thread?

> > There is also the possibly that i've failed to
> account
> > for some other port or service that I SHOULD have.
>  Is
> > there another NON-obvious rule that SHOULD
> PROBABLY be
> > in there?
> 
> That depends entirely on what services you are
> offering for the world. 

The specific services i mentioned, smtp, ssh, apache
are the only services I am explicitly allowing.  This
question was aimed at some obscure rule that may have
been forgotten or i'm not smart enough to know about,
like the mtu on icmp you mentioned above.

> Also see my blog post about this a while back: 
>
http://www.tummy.com/journals/entries/kevin_20050314_131358

thanks.


       
____________________________________________________________________________________
Got a little couch potato? 
Check out fun summer activities for kids.
http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz 



More information about the LUG mailing list