Re: Which port to block for ping, and how?

From: Tauno Voipio (tauno.voipio_at_iki.fi.NOSPAM.invalid)
Date: 12/19/03


Date: Fri, 19 Dec 2003 20:33:08 GMT


"Anthony Campbell" <me@privacy.net> wrote in message
news:slrnbu6mpa.k34.me@acampbell.org.uk...
> On 2003-12-19, Tim Haynes <usenet-20031219@stirfried.vegetable.org.uk>
wrote:
> > Anthony Campbell <me@privacy.net> writes:
> >
> > [snip]
> >>> The same goes for the destination-unreachable and time-exceeded rules;
> >>> they're all consumed within RELATED. There's no reason why you should
> >>> accept them as new from random hosts; for all I know, opening yourself
> >>> up to destination-unreachable packets means you'll have to handle them
> >>> as part of a DoS.
> >>
> >> I suppose my problem is not knowing how much I am achieving at present
in
> >> terms of protection (reflection of my ignorance, obviously).
> >
> > Blocking everything apart from stuff you ask for. That's the normal way
> > around.
> >
> >> I'm rather perturbed by the failure to block pinging; it seems to mean
I
> >> ought to do something more, but what?
> >
> > No, it means you should check what you've got open that's allowing it,
> > because the default is to drop everything.
> >
> > ~Tim
>
>
> I just closed everything but ping still gets through:
>
> ac:~:$ sudo nmap localhost
>
> Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-12-19 20:08
GMT
> All 1657 scanned ports on localhost (127.0.0.1) are: closed
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 2.333 seconds
>

Standard pings are using ICMP (Internet Control Message Protocol, RFC 792),
echo request (type 8) and echo reply (type 0).

It's not generally considered proper behaviour (see RFC 1122 and RFC 1123)
to disable pings. Also, they do not make the computer totally invisible in
the Net - the only sure means is to pull the cable.

Think twice before disabling ICMP - there are messages essential for proper
functioning of TCP.

HTH

Tauno Voipio
tauno voipio @ iki fi