Re: Clever firewall rules

From: Steffen Dettmer (
Date: 09/14/01

Date: Fri, 14 Sep 2001 20:49:41 +0200
From: Steffen Dettmer <>
To: focus-linux <>
Subject: Re: Clever firewall rules
Message-ID: <>

* Rob 'Feztaa' Park wrote on Thu, Sep 13, 2001 at 23:13 -0600:
> On 13 Sep 2001, Scott Gifford (dis)graced my inbox with this:
> > I wonder how much this rule helps? For each ping packet they send, it
> > looks like they'll get an ICMP Host Unreachable message, which hints
> > that a host is there (generally you'll just get no response if there's
> > no host there),

But they cannot determine if this there is host or not when all
PING receive the same response, so an attacker cannot know if
there is a host or not.

> On a large network, where it might be important to ping machines to see if
> the network is working or if that machine is up

For that netsaint can be used. In such a configuration, you can
IPSec tunnel the Netsaint traffic inside the network, and allow
only the one IP with the monitor, i.e. the Netsanit-host or the
VPN GW, this is better than allowing PING for everybody.

> then icmp traffic is good,

Well, and I would suggest to *not* block ICMP type 3 (dest.
unrechable), BTW.

> > before inspecting them, and it should be straightforward to configure
> > iptables to always reassemble packets before inspecting them.
> Does iptables have a configuration file that would do that?

No, this can be sone by the kernel itself, it's runtime
configurable (depending on your kernel compile options). Usually
you can turn on always defragment via:

echo "1" > /proc/sys/net/ipv4/ip_always_defrag

and you're done :)

> So far, I haven't had any problems with this rule, it hasn't prevented me
> from connecting to anybody or doing anything...

Well, on IPSec VPN connections it is quite common to have
fragments, since the packets get an additional header, which
leads to the fact that MTU packets won't fit in MTU with that new
header an get fragmented. BTW, always_defrag may increase
performance on VPN GWs.

> so since it's not hurting my connection, and it can't possibly
> make my machine less secure, I say keep it as-is.

Well, droping any fragments violates the RFC, and in conjunction
with errornously denied ICMP type 3 (which makes
MTU-path-discovery unusable) you can DoS your own network easily,
so take care.



Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

Relevant Pages

  • Re: Do I Have A Firewalled LAN Run By ISP In Between?
    ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
  • Re: One computer cant see the other.
    ... I'm not sure I'm doing this right Steve, but on the command prompt at my host ... command prompt on my host machine and my client machine when I ping the host. ... network of two computers. ... The most likely problem is that a firewall (Norton, McAfee, ZoneAlarm, ...
  • Re: cant configure networking for static IP address
    ... I test the network configuration: ... before doing this first ping the first hop - the default gateway from ... I can't ping the DNS server ... they might only allow dns packets to these ...
  • Re: Strange networking problems after update 5.2.1->5.3
    ... I cannot ping it even from a host connected to the same ... My network at home is somewhat simpler ( is local, ... is another notebook that is acting as NAT and default router). ... not even the obviously outgoing ping packets. ...
  • Re: simple networking question
    ... Can the hardware PC's ping each other? ... company so why can't I network two pcs together?? ... I'm guessing you can ping by IP but not host name. ... virtualization). ...