North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [nsp] known networks for broadcast ping attacks
Well to allow ICMP is good for just basic pinging of you or a traceroute. I really dont care if other people can traceroute or ping me so i just deny those lines i mentioned before, and all ICMP as a whole. Until the bug passes and/or gets fixed somehow, I am going to keep those lines. [email protected] wrote: > On Wed, 30 Jul 1997, Systems Engineer wrote: > > > Well ever since this but was introduced to the outside world, I > have > > since modified my present Firewall (ipfwadm v2.3.0) to accomodate. > > > > type prot source destination ports > > deny icmp 0.0.0.0 0.0.0.255 any > > deny icmp 0.0.0.255 0.0.0.0 any > > > > My rule is: > > deny icmp 0.0.0.0 0.0.0.0 any > > With perhaps specific permits above that for devices that I find have > a legitimate need for ICMP (be it unreachables, or echo/echo reply). > > I was wondering more if there were a good reason, other than for > dial-up > users who may need connectivity checks, to allow any ICMP in, or ICMP > to > say anything more than a terminal server's address range and certain > hosts. > > Hence my prior discussion on ping-mapping netblocks, and its lack of > applicability to the number of hosts on my network. > > Paul > ---- > -------------------------------------------------------------------- > Paul D. Robertson > [email protected] -- --- --- --- --- --- --- --- --- --- Steven Nash ph: (516)248-8400ext25 Systems Engineer / Network Security fax: (516)248-8897 Lightning Internet Services LLC email: [email protected] http://www.lightning.net --- --- --- --- --- --- --- --- ---
|