On Thursday 30 May 2002 7:27 pm, Marcus Zoller wrote:
> Am Fre, 2002-05-31 um 04.02 schrieb Claudio Mio:
> > iptables -A INPUT -p icmp -i ${LAN_IF} -j LOG
> > iptables -A OUTPUT -p icmp -o ${LAN_IF} -j LOG
>
> By the way: If you want to block pings to your machine,
> do this by blocking icmp INPUT with message-type 8 (echo-request).
>
> Never ever block all ICMP from/to your machine! This will break nearly
> anything. The minimum you must ACCEPT for input and output is message
> type 3 and 11.
I disagree with this, although it depends on whether the box acting as the
firewall is also running any clients or servers (ie does it ever act as an
endpoint in an IP communication, or is it just a filtering router ?).
If the firewall is running clients / servers, then the advice given above is
correct - you should not indiscriminately block ICMP to / from the machine,
however if the firewall is only a router, then it is perfectly okay to block
incoming / outgoing ICMP so long as you still allow it *through* the machine
for clients and servers to send ICMP messages to each other.
I always recommend that a firewall should be a firewall and nothing else, and
that it should also be invisible on the network - default policy of DROP on
the INPUT chain, with selective filtering in the FORWARD chain.
By all means be selective about what ICMP you do allow through your firewall
- you may not want outsiders to be able to ping your internal machines, for
example, but do not just block all ICMP between endpoints which need to
communicate.
Antony.
