Re: drop or reject

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 03/04/05

  • Next message: Beauregard T. Shagnasty: "Re: Getting the attention of spyware & adware perpetrators" 
    Date: Thu, 03 Mar 2005 20:09:53 -0600

    In article <clld211to6f68rd9jk5qechmverm3udarm@4ax.com>, Trinity wrote:

    >On Thu, 03 Mar 2005 16:23:39 +0900, Gerald Vogt <vogt@spamcop.net>
    >wrote:

    >>Well, yes. There is no benefit. A legimite ping for management purposes
    >>won't work which may be bad occasionally (ICMP does have a purpose
    >>beyond "ping" in IP else it wouldn't be there). It probably retries a
    >>couple of times after each timeout. A ping from the bad guy cannot harm
    >>you either (the "ping of death" is ancient history...):

    I basically agree with this - initially we were just blocking pings (not
    ICMP) from idiots that were slinging endless ping packets at our block.
    When we got to perhaps a hundred 'deny' rules, we said the hell with it,
    and now block ICMP type 8 inbound to everyone except the NOC at our
    upstream.

    >>if you answer he knows you are there, if you don't answer he knows you are
    >>there, too.

    Agreed

    >I see no option to set it to "not reachable" or whatever so I should
    >just enable "WAN Ping" and let anyone ping me?

    This sounds like a toy firewall on a home grade system. You probably
    don't need to be offering any services, so disabling pings inbound
    may be a good idea.

    >That isn't what security websites say to do. They say to drop pings.

    As noted in the response to your post to my article, NSA did recommend
    that. But what is also recommended is that if you are not offering
    network services, you should _disable_ them, which blocks inbound
    packets. Do you really want to share your hard drive or printer with
    someone on another continent?

    >You guys giving good info or not? I hear usnet is full of BS and want to
    >make sure I'm getting good info. No offense intended.

    -----------------------------------------------------
    There are three very simple rules about services and open ports:

    #1 - if you don't know what it is, disable it, and see if anything breaks.

    #2 - if nothing breaks, then you didn't need that.

    #3 - if it appears to have 'broken' some function or service, look in the
    logs, and identify the specific problem.
    -------------------
    For a firewall, there are three very simple rules you should be following
    when trying to configure them:

    #1 - If you don't know what it is, block it, and see if anything breaks.

    #2 - If while denying the connection, nothing breaks, then you didn't need
    that.

    #3 - If the firewall appears to have 'broken' some function or service,
    look in the logs, and identify the specific problem. What specifically is
    being rejected? Then figure the smallest hole that will fix that problem.
    This may mean allowing connections to 'this' port, from 'that' IP address.
    Remember that word - you are opening a _hole_ in your defenses.

    A good rule of thumb is that you should disallow everything, rather than
    just rule 1. It is of little use to have blocked port $FOO, when an entire
    _army_ of bad stuff is coming in through the other 65,000 ports that you
    left open to the world. This is especially true for the home user, or the
    inexperienced. Then you can follow rules 2 and 3 to resolve any problem that
    may develop. "Block everything by default, and allow needed items" is a lot
    safer than attempting to block specific items while allowing everything
    else. What you don't know (or block) _can_ hurt you.
    -----------------------------------------------------

    Notice the words - 'block' and 'disallow'. I really don't care how you do that.
    Reject, drop - it doesn't matter to me. Just don't think that by dropping
    unwanted packets you are going to save your bandwidth, OR magically disappear
    from the Internet. It doesn't work that way.

            Old guy

  • Next message: Beauregard T. Shagnasty: "Re: Getting the attention of spyware & adware perpetrators"

    Relevant Pages

    • Re: cant ping any port on loacalhost
      ... But it's a fundamental technical reason. ... ping uses ICMP, a protocol piggybacked on top of IP, which deals with IP ... Ports are a TCP or UDP construct. ...
      (alt.os.linux)
    • Open Ports
      ... I would like to block "ICMP" Ping, and 3 more ports, I do have the Ports ... I can follow only simple instructions. ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Re: NetBios over TCP/IP
      ... - ping OK, net view error 53 ... Start diagnosis for T30 ... (disabling the wirelees which I do not use at home). ... I can see other computers on my network, but they can not see me. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Removing ping/icmp from a network
      ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
      (Security-Basics)
    • ping: sendto: No buffer space available
      ... PING 10.1.1.1: 56 data bytes ... acpi0: on motherboard ... <ACPI PCI bus> on pcib0 ... 2 ports with 2 removable, ...
      (freebsd-stable)