RE: [Wlug] Verizon DSL on SuSE
I personally have my firewall configured to drop pings. If they don't know you're there, you aren't a target. Granted it doesn't keep seasoned hackers off your box, but it's one more piece of security. -----Original Message----- From: Josh Huber [mailto:huber@alum.wpi.edu] Sent: Thursday, April 08, 2004 10:50 AM To: wlug@mail.wlug.org Subject: Re: [Wlug] Verizon DSL on SuSE avedis@rcn.com writes:
[...] then could surf, with download speeds up to 1.7M/s.
Just curious, is that bytes or bits? (I wasn't aware of verizon offering such a fast link)
I even got my firewall working with the new connection, but two things seems to have changed. SuSEfirewall2 was set not to accept pings, and it looks like it's still set that way, but Gibson Research's port scanning utility can ping me. The other thing is that before, I had to manually enter commands (iptables) to drop packets to port 119 to put it into "stealth" mode. Now, I don't have to do that, as it already appears stealthed. Can anyone explain either of these phenomena?
I'm not sure why you would want to drop all pings. You'll probably find that the default firewalling rules drop some kinds of ICMP packets, but there are some which are useful to keep around. (personally, I think dropping all inbound ICMP is pretty annoying when trying to diagnose network issues...) As for port 119, this appears to be the NNTP (net news) port -- why would you be running a news server I'm not sure :) -- Josh Huber _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
"Martin, Eric" <MartinE@worc.k12.ma.us> writes:
I personally have my firewall configured to drop pings. If they don't know you're there, you aren't a target. Granted it doesn't keep seasoned hackers off your box, but it's one more piece of security.
I don't buy that argument. Two situations: 1) You have no other internet-visible services: * What's the harm in allowing icmp echo? Who cares, unless there happens to be some vulnerable ICMP code in the kernel. I suppose that's a risk I'd be willing to take. :) 2) You have other internet-visible services: * A port scan will reveal you, regardless of ICMP responses. -- Josh Huber
On Fri, Apr 09, 2004 at 10:50:18AM -0400, Josh Huber wrote:
"Martin, Eric" <MartinE@worc.k12.ma.us> writes:
I personally have my firewall configured to drop pings. If they don't know you're there, you aren't a target. Granted it doesn't keep seasoned hackers off your box, but it's one more piece of security.
I don't buy that argument. Two situations:
How about the fact that if you don't, you're open to acting as an unwitting participant in a smurf/fraggle amplification DoS? -- Frank Sweetser fs at wpi.edu WPI Network Engineer GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
Frank Sweetser <fs@WPI.EDU> writes:
How about the fact that if you don't, you're open to acting as an unwitting participant in a smurf/fraggle amplification DoS?
I suppose, if you don't enable things like the rp_filter (or equivalent with iptables) and echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts I doubt anyone keeps udp echo enabled these days. -- Josh Huber
On Fri, Apr 09, 2004 at 11:19:19AM -0400, Josh Huber wrote:
Frank Sweetser <fs@WPI.EDU> writes:
How about the fact that if you don't, you're open to acting as an unwitting participant in a smurf/fraggle amplification DoS?
I suppose, if you don't enable things like the rp_filter (or equivalent with iptables) and
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
I doubt anyone keeps udp echo enabled these days.
That doesn't always work. Not all of these attacks require that the packet sent to your machine be sent to what your machine believes is the broadcast address for your subnet. Think of it this way. Would you leave your back door unlocked and open just because you've only seen people come in and out of the front door? -- Frank Sweetser fs at wpi.edu WPI Network Engineer GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
Frank Sweetser <fs@WPI.EDU> writes:
That doesn't always work. Not all of these attacks require that the packet sent to your machine be sent to what your machine believes is the broadcast address for your subnet.
True. I suppose some simple rate limiting would do the trick for this as a general solution... (-m limit --limit 2/second type thing)
Think of it this way. Would you leave your back door unlocked and open just because you've only seen people come in and out of the front door?
Well, we are talking about ping here. -- Josh Huber
participants (3)
-
Frank Sweetser -
Josh Huber -
Martin, Eric