Re: CAN-2004-1137

From: Blizbor (
Date: 01/05/05

  • Next message: R Dicaire: "ipv6, again"
    Date: Wed, 05 Jan 2005 18:40:25 +0100


    >>Secondly would 'iptables -A INPUT -p IGMP -j REJECT' protect my machine
    >>from remote attacks ?.
    Theoretically - yes. But practically - no. Why ?
    Main idea is: do not allow any explictly necessary traffic. In my
    opinion as necessary
    you can count protocols tcp, udp and icmp. Other upon request or after
    detecting that
    somebody is trying to use them. Especially AH and ESP. "All other"
    protocols are used
    very rare and mainy by the network infrastructure.
    Conclusion is: why allow "all other" traffic if all infrastructure is
    yours and you know that
    none of the other protocols are in use ?
    So my answer is - no, because you are closing one hole after their
    exploitation. All other holes
    are still widely opened. This cant be called "*wall" ;).


  • Next message: R Dicaire: "ipv6, again"