Home page logo
/

nanog logo nanog mailing list archives

Re: [nsp] known networks for broadcast ping attacks
From: Systems Engineer <snash () lightning net>
Date: Wed, 30 Jul 1997 18:03:25 -0400

Well to allow ICMP is good for just basic pinging of you or a
traceroute.  I really dont care if other people can traceroute or ping
me so i just deny those lines i mentioned before,  and all ICMP as a
whole.
Until the bug passes and/or gets fixed somehow, I am going to keep those
lines.


root () gannett com wrote:

On Wed, 30 Jul 1997, Systems Engineer wrote:

Well ever since this but was introduced to the outside world,  I
have
since modified my present Firewall (ipfwadm v2.3.0) to accomodate.

type  prot source               destination          ports
deny  icmp 0.0.0.0              0.0.0.255            any
deny  icmp 0.0.0.255            0.0.0.0              any


My rule is:

deny icmp   0.0.0.0 0.0.0.0 any

With perhaps specific permits above that for devices that I find have
a legitimate need for ICMP (be it unreachables, or echo/echo reply).

I was wondering more if there were a good reason, other than for
dial-up
users who may need connectivity checks, to allow any ICMP in, or ICMP
to
say anything more than a terminal server's address range and certain
hosts.

Hence my prior discussion on ping-mapping netblocks, and its lack of
applicability to the number of hosts on my network.

Paul
----
--------------------------------------------------------------------
Paul D. Robertson
gatekeeper () gannett com



--
---     ---     ---     ---     ---     ---     ---     ---     ---
Steven Nash                             ph:  (516)248-8400ext25
Systems Engineer / Network Security    fax:  (516)248-8897
Lightning Internet Services LLC      email:  snash () lightning net
http://www.lightning.net
---     ---     ---     ---     ---     ---     ---     ---     ---





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]