Re: RELATED ICMP packets "destination-unreachable"
From: Mikhail Zotov (blah_at_blah)
Date: Sat, 12 Feb 2005 07:31:58 +0300
Juha Laiho wrote on Friday 11 February 2005 19:02:
> firstname.lastname@example.org said:
>>I would like to clarify the following issue:
>>Can an attacker make my machine (protected by an iptables firewall)
>>reply with _RELATED_ ICMP packets "destination-unreachable"?
>>In other words, is it safe to allow outgoing packets of this type
> If you let a packet through iptables, your machine will reply
> in whichever is the appropriate way. If you don't let the packet
> through iptables, then the attacker will see whatever you cook
> up with iptables (including "silence" - i.e. you just drop the
> incoming packets).
> So, outgoing response depends on what you let in. If you don't let
> anything in, there isn't anything to respond to. And if there's something
> you want to let in (from anywhere), then it doesn't make sense prohibiting
> regular outbound ICMP traffic control packets.
Thank you. I see.