|
It is easy to specify which types of ICMP items you want to turn off.
There are many:
ipchains -h icmp | more
-jeremy
> Is easy to turn off specific ICMP messages? Maybe that is a good
> suggestion we can make to ICSA.
>
> At 01:52 PM 6/14/00 -0400, Jeremy Hansen wrote:
>
> >I have always been told what Drew suggests. Rusty Nelson I believe
> >covered this on the netfilter list some time back. ICMP are used for very
> >useful things and can actually hurt your network if blocked completely. I
> >like Rusty's explanation better. I'm sure someone on here can get more
> >specific.
> >
> >-jeremy
> >
> > > At 09:25 AM 6/14/00 -0700, Drew Streib wrote:
> > > >On Wed, Jun 14, 2000 at 09:08:19AM -0700, Wayne wrote:
> > > > > In reality, many security audit advisors warn companies to
> > > > > block ICMP message totally, either at their router or firewall.
> > > > > So ICMP messages from clients will never get to servers anyway.
> > > >
> > > >In reality, this is also considered bad practice and isn't compliant
> > > >with several standards. ICMP route detection is extremely important
> > > >to some networks. Turning off specific ICMP message types is more
> > > >courteous. :)
> > >
> > >
> > > Then you may want to make some suggestions to ICSA -- International
> > > Computer Security Association which certify sites to be ICSA certified,
> > > they require you to turn ICMP off, unless your site can not work without
> > > it, otherwise they will not certify you. The reason is that ICMP is
> > > not authenticated, so that the intruders can use it as well.
> > >
> > >
> > >
> >
> >--
> >
> >http://www.xxedgexx.com | jeremy@xxxxxxxxxxxx
> >---------------------------------------------
> >
> >
>
--
http://www.xxedgexx.com | jeremy@xxxxxxxxxxxx
---------------------------------------------
|
