[olug] help with iptables firewall
Dave Hull
dphull at gmail.com
Wed Jul 25 18:41:45 UTC 2007
I don't know for sure and don't have time to test, but I think
IPTables may recognize ICMP packets if they are RELATED to an
ESTABLISHED connection, thus the need to explicitly allow icmp-type
any may not be needed. I frequently see Nessus scan results that
complain about hosts accepting and replying to certain ICMP requests
so I think allowing any is a bad idea.
There's a great tutorial on IPTables at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html which
also seems to indicate that ICMP fragmentation needed or source quench
messages will be allowed through if they are RELATED to an ESTABLISHED
connection.
Then again, I could be wrong. It happens frequently. If I had time,
I'd set this up on my bench and try it out.
You may want to consult the firewall checklist at sans.org:
http://www.sans.org/score/checklists/FirewallChecklist.pdf?portal=6fc3aaf0f10153f4f5e563c02a4865b9
http://tinyurl.com/2l6aa9
The recommended best practice is to block ICMP echo requests and
replies and to block outgoing time exceeded and host unreachable
messages. Doing this may prevent attackers from firewalking your
firewall.
I would favor allowing in as little as possible and adjust accordingly
if you have problems.
--
Dave Hull
More information about the OLUG
mailing list