[olug] RH9 firewall security question
Tim - DZ
iceburn at dangerzone.com
Sun Feb 1 01:51:37 UTC 2004
IMO blocking ping is not worth it, whenever something breaks network wise
the first step is to ping the effected box, if ping is "turned off" then the
first step will have to be to turn it back on.
Allowing ping should not be a security concern...though it may create
increased traffic (as Vincent points out)...
-t
-----Original Message-----
From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of
Vincent.Raffensberger at dtn.com
Sent: Saturday, January 31, 2004 6:29 PM
To: Omaha Linux User Group
Subject: Re: [olug] RH9 firewall security question
By blocking or disabling ping responses from your system you will see
substantially fewer port scans and probes. It's probably worth the
inconvenience it may sometimes cause.
You can do it in the kernel or via iptables.
To disable icmp responses via the kernel add this to /etc/sysctl.conf
net.ipv4.icmp_echo_ignore_all = 1
You could additionally add these:
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
An iptables rule to drop icmp for your external interface only would look
like this:
iptables -A INPUT -i eth0 -p icmp -j drop
Francis Geiger <hmcsret at cox.net>
Sent by: olug-bounces at olug.org
01/31/2004 05:04 PM
Please respond to
Omaha Linux User Group <olug at olug.org>
To
Omaha linux user group email <olug at olug.org>
cc
Subject
[olug] RH9 firewall security question
I have been reading about Linux security issues in Linux Journal. I have
my RH9 firewall set at high. I used grc.com web site to check my
firewall and it reported my ports as closed or in stealth mode. The web
site did say the TruStealth: Not all tested ports were stealth, No
unsolicited packets were received, A ping reply ICMP Echo was received.
Should I be concerned about the ping reply? If so what can I do about
it. I have been looking at the documentation and I are getting very
confused. Thanks in advance for any help Grant
--
Francis Geiger <hmcsret at cox.net>
_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug
_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug
More information about the OLUG
mailing list