Re: RELATED ICMP packets "destination-unreachable"

From: Mikhail Zotov (blah_at_blah)
Date: 02/12/05

  • Next message: redjupiter: "Please explain what happened here."
    Date: Sat, 12 Feb 2005 07:31:58 +0300
    
    

    Juha Laiho wrote on Friday 11 February 2005 19:02:
    > muxaul@lenta.ru said:
    >>I would like to clarify the following issue:
    >>Can an attacker make my machine (protected by an iptables firewall)
    >>reply with _RELATED_ ICMP packets "destination-unreachable"?
    >>In other words, is it safe to allow outgoing packets of this type
    >>(mostly 3/1)?
    >
    > If you let a packet through iptables, your machine will reply
    > in whichever is the appropriate way. If you don't let the packet
    > through iptables, then the attacker will see whatever you cook
    > up with iptables (including "silence" - i.e. you just drop the
    > incoming packets).
    >
    > So, outgoing response depends on what you let in. If you don't let
    > anything in, there isn't anything to respond to. And if there's something
    > you want to let in (from anywhere), then it doesn't make sense prohibiting
    > regular outbound ICMP traffic control packets.

    Thank you. I see.

    Regards,
    Mikhail


  • Next message: redjupiter: "Please explain what happened here."