Date: Mon, 21 Aug 2000 15:12:21 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: willwong@anime.ca (William Wong) Cc: billf@chimesnet.com (Bill Fumerola), freebsd-security@FreeBSD.ORG Subject: Re: icmptypes Message-ID: <200008212212.PAA31227@gndrsh.dnsmgr.net> In-Reply-To: <006301c00bbb$13b9afa0$0300a8c0@anime.ca> from William Wong at "Aug 21, 2000 05:59:26 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
[Charset iso-8859-1 unsupported, filtering to ASCII...] > Hi Bill, > > I tried to "reset icmp" and it said that reset it only valid for tcp > packets. Would the polite way be to use some sort of "unreach" code? Please read the RFC documenting icmp, don't have the number off hand, but is a protocol violation to generate an icmp packet due to an icmp packet, except for very specific conditions (icmp echo request -> icmp echo reply, icmp netmask request -> icmp netmask reply and I think there is one other). The major reason being you can quite easily create an icmp storm if you start sending icmp packets in responds to icmp packets. Just allow 0,3,8,11 (and sometimes 12, though they are very rare, they can help to cleanup a connection attempt that has gone wrong) and deny or deny/log all the others. You may also want to allow icmp type 5 out of your system, and possibly in from _trusted_ routers. There is no polite way to deny an icmp packet, the action of descarding it is the best thing to do if you want to protect yourself. Please read the fine paper you have been pointed to by others, trust that some of the brightest minds in internet security have either looked at or help draft it, and follow it's recomendations. > Regards, > - Will > > > > Instead of just dropping an icmp packet with say ipfw's deny rule, is > there > > > a "polite" way to deny the packet. To clarify, I want to send an > equivalent > > > of a "tcp reset" back, to let them know it's closed. Or is there no > such > > > thing as this for the icmp protocol? > > > > Instead of 'deny' use 'reset'. Of course, this opens you up to a multitude > > of DoS related problems, but you're at least being a good neighbor.... > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008212212.PAA31227>