Re: How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets

From: Trygve Selmer (trselmer_at_start.no)
Date: 10/27/04

• Next message: GreySoul: "Re: online Nessus scanners"
• Previous message: illecebra: "Re: RPM Verification"
• In reply to: Santa: "Re: How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets"
• Next in thread: Jens Hoffmann: "Re: How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 27 Oct 2004 01:53:37 +0200

Santa wrote:
> Allen,
>
> I set send_redirects and accept_redirects to zero for default
> interfaces. How about Source Quench and Timestamp packets?. Do I have
> to set netfilter rules?.

Try something like this:

# Disable source routed packets.
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done
# Disable ICMP redirects acceptance.
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done
# Dont send redirects packets.
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
done

iptables -N ICMP

iptables -A ICMP -p icmp --fragment -j DROP
iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT
iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
iptables -A ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A ICMP -p icmp --icmp-type fragmentation-needed -j ACCEPT
iptables -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A ICMP -p icmp -j DROP

Then call the ICMP chain from your INPUT and/or FORWARD chain.

---

• Next message: GreySoul: "Re: online Nessus scanners"
• Previous message: illecebra: "Re: RPM Verification"
• In reply to: Santa: "Re: How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets"
• Next in thread: Jens Hoffmann: "Re: How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets ... How about Source Quench and Timestamp packets?. ... iptables -N ICMP ... Then call the ICMP chain from your INPUT and/or FORWARD chain. ... (comp.security.firewalls) Re: How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets ... How about Source Quench and Timestamp packets?. ... iptables -N ICMP ... Then call the ICMP chain from your INPUT and/or FORWARD chain. ... (comp.os.linux.misc) TCP/IP Applications FAQ ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ... (comp.unix.questions) TCP/IP Applications FAQ ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ... (comp.unix.questions) TCP/IP Applications FAQ ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ... (comp.unix.questions)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2004-10