Tue, Jul 17, 2001 at 04:22:25PM +0200, Walter Hofmann wrote: > On Mon, 16 Jul 2001, John Patton wrote: > > > On Mon, Jul 16, 2001 at 02:30:29PM -0500, William Jensen wrote: > > > I've setup a fairly restrictive set of rules for iptables and have been, > > > up to this point, extremely satisfied with its performance. However, > > > I've recently started having some signifiant issues with my cable modem > > > provider and they routinely want to ping and traceroute to my machine. > > > This requires me to take down my firewall and wait for them to finish, > > > then put it back up. I'd like to make, as part of my rule set, ping and > > > traceroute able to get through. So far I've done this for my input chain > > > for ping > > > > > > -A INPUT -p icmp -j ACCEPT > > > > > > For traceroute I've done this: > > > > > > -A INPUT -p ip -j ACCEPT > > > > > > These appear to work, however, am I overlooking something from a > > > security > > > point of view by allowing any icmp and ip's through? Is there a > > > better > > > way? > > > > You could further limit your rules by specifying the source > > address of you cable modem provider, something like: > > > > -A INPUT -p icmp -s provider.cable.net -j ACCEPT > > If William blocks all ICMP packets then I'm not suprised that he has > connection problems. ICMP is there for a reason. In particular, if he > blocks ICMP type destination-unreachable/fragmentation-needed then all > his connections, which, at some point, run over a low MTU link will > break sooner or later. This usually happens after the first big packet > gets send over the connection. > This is because blocking ICMP breaks PMTU discovery. > > Really, ICMP is there for a reason. Nobody should expect to get away > with blocking it, unless they are accepting random connection hangs and > similar problems.
Using iptables with connection tracking, it isn't a problem as long as established/related stuff is let in. If William is running public services, most icmp protocols should be allowed from whom-ever, but if he is simply trying to make his stand-alone private machine invisible to ping sweeps, then blocking icmp is perfectly reasonable, and won't cause any problems. -- John Patton [EMAIL PROTECTED] "Believe those who are seeking the truth; doubt those who find it." - Andre Gide
