From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 03:12:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFC3916A4DA for ; Mon, 27 Oct 2003 03:12:49 -0800 (PST) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0A3343FB1 for ; Mon, 27 Oct 2003 03:12:48 -0800 (PST) (envelope-from freebsd-security@dfmm.org) Received: (qmail 34756 invoked by uid 1000); 27 Oct 2003 11:12:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Oct 2003 11:12:48 -0000 Date: Mon, 27 Oct 2003 03:12:48 -0800 (PST) From: Jason Stone X-X-Sender: jason@walter To: security@freebsd.org In-Reply-To: <20031027120642.A96390@trillian.santala.org> Message-ID: <20031027030027.B8440@walter> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027120642.A96390@trillian.santala.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 11:12:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > D'oh? I like ping very much > > The security and DoS concerns are really kind of obvious. > Blocking all ping packets to improve security is nothing more than > security through obscurity. No, you're missing the point - when all of my clients started massively pinging the internet, the load on my nat box brings down connectivity for my whole office. We're not talking about obscuring the layout of a network - we're talking about a client that is massively flooding with a particular kind of traffic, and so we're blocking that traffic to avoid dos. That traffic just happens to be ping traffic. Yes, not being able to send outbound pings is unfortunate, but if the alternative is to lose your connectivity entirely, blocking pings seems preferable. If your network is small and firewall performance is not an issue, you could just allow outbound pings from the unix machines.... > > > Filtering packets by length on the other hand is a very nice feature > > > to have. > > As it happens, ipfw[2] does this anyway. Yes, ipfw2 (ie, on fbsd-5 boxes) has an "iplen" option that you can put in the body of your rule. From the manpage: iplen len Matches IP packets whose total length, including header and data, is len bytes. However, this isn't going to help most people with 4.x systems, so their best option is probably still to block all pings. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/nP2wswXMWWtptckRAudOAKCDTBQimeY4p8IPxw2LDf6PrwTAzQCg7Pxc XlSVE+ke8z4+h6j3abGejvs= =kFyX -----END PGP SIGNATURE-----