denying ping
Bevan C. Bennett
bevan at fulcrummicro.com
Tue Mar 9 18:10:24 UTC 2004
nyook wrote:
> I have a question on ICMP, too.
>
> On my box, I've set up some iptables rules, to only allow as much
> outgoing traffic as is needed by my running applications. My firewall's
> default policy is DROP. In order not to accidentally allow a programm to
> access the net, I have to deny all traffic, including ICMP messages
> (because information can be easily tunneled inside an ICMP packet).
Wow. That's pretty paranoid (and depending on what your allowed traffic
is possibly completely extraneous).
> The logical consequence of this is that my box doesn't respond to ping
> requests anymore, which I consider bad behaviour. I'd like to be able to
> deny ICMP messages for the userland executables, but the kernel (or net
> driver) should be still allowed to send ping responses.
Try something like the following...
In your input chain:
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
In your output chain:
-A RH-Firewall-1-OUTPUT -p icmp --icmp-type echo-reply -m state --state
ESTABLISHED,RELATED -j ACCEPT
That should, if it's working correctly, only allow echo-reply packets
that are responding to an incoming echo-request.
> Any suggestions on how I may achieve this? I hadn't any luck with '-m
> owner --uid-owner root'. Thanks
You probably -really- want to start looking into SELinux, which offers
much more fine grained security over what processes are or are not
allowed to do.
More information about the fedora-list
mailing list