[olug] help with iptables firewall
Luke -Jr
luke at dashjr.org
Fri Jul 27 15:36:57 UTC 2007
On Friday 27 July 2007 10:12, Dave Hull wrote:
> A little searching and shows the recommendation repeated frequently
> with caveats of course. There are lots of networks out there that deny
> ICMP echo requests these days. NMAP even includes an option to skip
> pinging hosts when port scanning because so many networks don't allow
> ICMP echo.
Common does not make it a good idea. Many ISPs block important ports, too!
> I don't think anyone who makes this recommendation is doing so because
> Ping is insecure, but rather it allows an attacker to learning things
> about the network that you may not want them to know, like that
> there's a given host at a given IP address.
Security by obscurity is not security. If you still don't want someone to
learn about the validity of an IP address, then just have your external
firewall always intercept and respond to ICMP echos on its own, for outside
queries. It's a dumb idea, IMO, but still better than dropping it...
> For a publicly accessible resource in a DMZ like a web, smtp or ftp
> server, blocking ICMP echo requests and responses doesn't make sense,
> but do you want your firewall to allow anyone on the planet to ping
> hosts behind the firewall?
Yes.
More information about the OLUG
mailing list