On Thu, May 30, 2002 at 01:45:53PM +0100, Dave Wilson mentioned:
> >>Allow incoming ICMP
> >I would only allow ICMP (pings) from local hosts (or better still no hosts
> >at all).
> >Just makes it a little bit harder to detect for script kiddies...
> Disagree; ICMP is needed for path mtu discovery and other stuff. Things
> can *appear* to work but may fail in interesting ways for a small number
> of people if you block it. Realistically, the fact that it's on the
> internet (i.e. has a global IPv4 address) means it will be scanned for
> vulnerabilities frequently; blocking ICMP won't change that significantly.
Indeed. And, if the box is already running a webserver on an IP, blocking
ICMP to that IP isn't going to help much. A good rule of thumb is:
If a firewall blocks ICMP, it's broken.
John Looney Chief Scientist
a n t e f a c t o t: +353 1 8586004
www.antefacto.com f: +353 1 8586014
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!