denying ping

[nyook]

I have a question on ICMP, too.

On my box, I've set up some iptables rules, to only allow as much 
outgoing traffic as is needed by my running applications. My firewall's 
default policy is DROP. In order not to accidentally allow a programm to 
access the net, I have to deny all traffic, including ICMP messages 
(because information can be easily tunneled inside an ICMP packet).

The logical consequence of this is that my box doesn't respond to ping 
requests anymore, which I consider bad behaviour. I'd like to be able to 
deny ICMP messages for the userland executables, but the kernel (or net 
driver) should be still allowed to send ping responses.

Any suggestions on how I may achieve this? I hadn't any luck with '-m 
owner --uid-owner root'. Thanks

Alan Horn wrote:
> Russell,
> 
> It's a bad idea to deny all icmp, it breaks things like mtu discovery.
> There are many different types of icmp, and although denying most is OK,
> some you should let in. Off the top of my head I don't recall the type
> numbers of the ones you want to drop, and the ones you want to keep
> 
> You're probably better off searching for the right ways to deny pings
> using ipchains or whatever firewall linux is uing nowadays. Then deny only
> specific types. Search engine is your friend in this regard since it's
> generally a very well solved problem.
> 
> Unless you know what you're doing with denying pings, in which case ignore
> what I just said :)
> 
> Cheers,
> 
> Al
> 
> 
> On Mon, 8 Mar 2004, russell wrote:
> 
> 
>>Date: Mon, 08 Mar 2004 22:00:22 -0500
>>From: russell <simmonsr at verizon.net>
>>Reply-To: fedora-list at redhat.com
>>To: fedora-list at redhat.com
>>Subject: denying ping
>>
>>I'm trying to deny ping access on my new fedora box.  I run:  #  echo 1
>>
>>>/proc/sys/net/ipv4/icmp_echo_ignore_all, but this doen't work.  Does
>>
>>anyone have any ideas how to deny icmp requests on fedora?
>>
>>tia
>>
>>russell
>>
>>
>>
> 
> 
>