North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [nsp] known networks for broadcast ping attacks
On Wed, 30 Jul 1997, Systems Engineer wrote: > Well ever since this but was introduced to the outside world, I have > since modified my present Firewall (ipfwadm v2.3.0) to accomodate. > > type prot source destination ports > deny icmp 0.0.0.0 0.0.0.255 any > deny icmp 0.0.0.255 0.0.0.0 any > My rule is: deny icmp 0.0.0.0 0.0.0.0 any With perhaps specific permits above that for devices that I find have a legitimate need for ICMP (be it unreachables, or echo/echo reply). I was wondering more if there were a good reason, other than for dial-up users who may need connectivity checks, to allow any ICMP in, or ICMP to say anything more than a terminal server's address range and certain hosts. Hence my prior discussion on ping-mapping netblocks, and its lack of applicability to the number of hosts on my network. Paul ------------------------------------------------------------------------- Paul D. Robertson [email protected]
|