Questions about ICMP

John Summerfield debian at herakles.homelinux.org
Thu Dec 6 02:13:39 UTC 2007 

Rick Stevens wrote:
> On Wed, 2007-12-05 at 16:00 -0800, Daniel B. Thurman wrote:
>> Craig White wrote:
>>
>>> Sent: Wednesday, December 05, 2007 3:33 PM
>>> To: For users of Fedora
>>> Subject: Re: Questions about ICMP
>>>
>>>
>>> On Wed, 2007-12-05 at 15:27 -0800, Daniel B. Thurman wrote:
>>>> Should ICMP packets be allowed both over the
>>>> Internet or should it be allowed to pass only in
>>>> the local networks?
>>>>
>>>> I have a firewall appliance and trying to make sure
>>>> that I am being secured properly.
>>> ----
>>> disabling icmp echo requests is a great feature for the ultra-paranoid
>>>
>>> Craig
>>>
>>> -- 
>> So... am I to read this as it is a good idea to disable all icmp
>> requests?  I get a LOT of ICMP requests from the Internet probing
>> at my ports, which are disabled.  This is a good idea?
> 
> There is no reason for people to ICMP you unless they're just snooping
> to see what IPs are in use--and that can indicate an oncoming hack
> attempt.  It is a very good idea to turn it off.

Bah humbug.
If I want to know whether you're running an email server, I'll just open 
a connexion. A failure tells me all I need to know. icmp (other than 
those necessary for the transaction) has nothing to do with it.

The _only_ risks I know with icmp are
1. DoS by overloading your connexion.
Can equally well be done with other IP traffic such as UDP or TCP.
Can't usefully be blocked by you anyway, by the time the traffic reaches 
your gateway the harm is done. Has to be blocked at your ISP or further out.
2. Actually breaking your kernel. It has happened (teardrop I think did 
that some years ago).
I'm not going to worry about that one, there are many greater risks to 
being on the 'net.

> 
> I do...at least at my router/firewall.  The Internet doesn't need to
> know I'm there.  Internally I leave it enabled so I can verify my
> machines are alive (that and SNMP stuff).  So if you're on my private
> network, pings are OK.  I ignore attempts from the outside (in iptables
> parlance, "-j DROP").

My requirements are a little different, I run some of my own Internet 
services and need to connect to other machines I control.

At my firewall I log and drop unwelcome traffic, I rate-limit some 
traffic (it's hard to enumerate accounts and passwords at five 
connexions per hour), and log and reject unwanted traffic within one of 
my LANs.



-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the fedora-list mailing list