Re: RELATED ICMP packets "destination-unreachable"
From: Mikhail Zotov (blah_at_blah)
Date: 02/12/05
- Previous message: Kyle: "Re: x11 port 6000 not open"
- In reply to: Juha Laiho: "Re: RELATED ICMP packets "destination-unreachable""
- Next in thread: Gareth Bromley: "Re: RELATED ICMP packets "destination-unreachable""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 12 Feb 2005 07:31:58 +0300
Juha Laiho wrote on Friday 11 February 2005 19:02:
> muxaul@lenta.ru said:
>>I would like to clarify the following issue:
>>Can an attacker make my machine (protected by an iptables firewall)
>>reply with _RELATED_ ICMP packets "destination-unreachable"?
>>In other words, is it safe to allow outgoing packets of this type
>>(mostly 3/1)?
>
> If you let a packet through iptables, your machine will reply
> in whichever is the appropriate way. If you don't let the packet
> through iptables, then the attacker will see whatever you cook
> up with iptables (including "silence" - i.e. you just drop the
> incoming packets).
>
> So, outgoing response depends on what you let in. If you don't let
> anything in, there isn't anything to respond to. And if there's something
> you want to let in (from anywhere), then it doesn't make sense prohibiting
> regular outbound ICMP traffic control packets.
Thank you. I see.
Regards,
Mikhail
- Previous message: Kyle: "Re: x11 port 6000 not open"
- In reply to: Juha Laiho: "Re: RELATED ICMP packets "destination-unreachable""
- Next in thread: Gareth Bromley: "Re: RELATED ICMP packets "destination-unreachable""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
