[ILUG] Hardening Linux
John P. Looney
john at antefacto.com
Thu May 30 14:36:28 IST 2002
On Thu, May 30, 2002 at 01:45:53PM +0100, Dave Wilson mentioned:
> >>Allow incoming ICMP
> >I would only allow ICMP (pings) from local hosts (or better still no hosts
> >at all).
> >Just makes it a little bit harder to detect for script kiddies...
> Disagree; ICMP is needed for path mtu discovery and other stuff. Things
> can *appear* to work but may fail in interesting ways for a small number
> of people if you block it. Realistically, the fact that it's on the
> internet (i.e. has a global IPv4 address) means it will be scanned for
> vulnerabilities frequently; blocking ICMP won't change that significantly.
Indeed. And, if the box is already running a webserver on an IP, blocking
ICMP to that IP isn't going to help much. A good rule of thumb is:
If a firewall blocks ICMP, it's broken.
John Looney Chief Scientist
a n t e f a c t o t: +353 1 8586004
www.antefacto.com f: +353 1 8586014
More information about the ILUG