From owner-freebsd-security Fri Nov 12 11:44:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2]) by hub.freebsd.org (Postfix) with SMTP id 115A214CD3 for ; Fri, 12 Nov 1999 11:44:00 -0800 (PST) (envelope-from bvi@rucus.ru.ac.za) Received: (qmail 98654 invoked by uid 374); 12 Nov 1999 19:43:58 -0000 Date: Fri, 12 Nov 1999 21:43:58 +0200 From: Barry Irwin To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: safe protocols to eat via ipfw Message-ID: <19991112214358.B57266@rucus.ru.ac.za> References: <3.0.5.32.19991112111449.00b273f0@staff.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3.0.5.32.19991112111449.00b273f0@staff.sentex.ca>; from mike@sentex.net on Fri, Nov 12, 1999 at 11:14:49AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 1999-11-12 (11:14), Mike Tancsa wrote: > > Apart from dropping spoofed addresses, what ICMP types do people generally > block at their borders ? I noticed a lot of redirects coming at my dialups > this morning from the outside world.... > is deny icmp from any to any in recv icmptype 5 > a good thing to do ? Does it break anything ? This ins a nice friendly world would be used by a router to tell you things have moved around, and that another router should be used instead, due to it havng a better path. However the reality of the net today is that it isnt a all together friendly place. Some of these icmp redirects coule be valid others howver could be malicious in nature. My suggestion would be to kill it off ( maybe with a log option) and see what happens, possibly just deny it for dialup users. Another ICMP type that I've seen abused is the ICMP type 3 ( destination unreachable). The most common implementation of this abuse that I've come across is on IRC where users are 'nuked' with a faked ICMP unreachable message for the server , and the server recieves a similar spoof. , the net result being a disconnection of the user from the server. According to Steven's TCP/IP book , there are 15 codes falling under ICMP type 3. Killing this could enhance your security, but would almost certianly start causing problems with hosts that really are unreachable, instead of an ICMP message being returned, the TCP connection would just have to timeout. Again , this could be something you could consider just implementing for your dialups. Non of the other ICMP codes look too problematic ( Router soclicitation/advertisement type 10 and 11 - maybe although I'm not sure how much this is used anymore). Barry -- -------------------------------------------------------------------------- Barry Irwin IRC: balin@zanet (#linux) bvi@moria.org http://rucus.ru.ac.za/~bvi Whois BI414 - PMPN8EZ - http://moria.org -------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message