Re: Wow - is SuSE hard to configure! - Suse

This is a discussion on Re: Wow - is SuSE hard to configure! - Suse ; David Bolt wrote: > On Sat, 2 Jun 2007, wrote:- > >> Can I just start with how to block all icmp, that is drop all ping >> requests without response, for now? I promise to be good, no matter ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: Wow - is SuSE hard to configure!

  1. Re: Wow - is SuSE hard to configure!

    David Bolt wrote:
    > On Sat, 2 Jun 2007, wrote:-
    >
    >> Can I just start with how to block all icmp, that is drop all ping
    >> requests without response, for now? I promise to be good, no matter
    >> how frustrated I get. Pretty please . . .

    >
    > A few years ago, when I was using an ISDN connection, I had the
    > following iptables rules[0] to drop unnecessary ICMP packets.
    >
    > -A INPUT -i ippp0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
    > -A INPUT -i ippp0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
    > -A INPUT -i ippp0 -p icmp -m icmp --icmp-type 4 -j ACCEPT
    > -A INPUT -i ippp0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
    > -A INPUT -i ippp0 -p icmp -m icmp --icmp-type 12 -j ACCEPT
    > -A INPUT -i ippp0 -p icmp -j DROP
    >
    > These rules allows incoming echo replies (from me sending a ping),
    > destination unreachable, source quench, time exceeded and parameter
    > problem. All other ICMP packets are dropped.
    >
    > -A OUTPUT -o ippp0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
    > -A OUTPUT -o ippp0 -p icmp -m icmp --icmp-type 4 -j ACCEPT
    > -A OUTPUT -o ippp0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
    > -A OUTPUT -o ippp0 -p icmp -j DROP
    >
    > And these allow outgoing destination unreachable, source quench and echo
    > requests (ping). All other outgoing ICMP packets are dropped.
    >
    > As to whether they worked at hiding m, I don't think so. I was then, and
    > still am, self-hosting so my web and mail servers were both visible. All
    > that these did was stop the almost terminally-clueless script kiddies
    > from spotting my presence. Anyone with at least one working neuron could
    > easily figure out how to see if I was there.
    >
    >
    > [0] snipped straight from the output of iptables-save. I didn't use
    > SuSEfirewall, preferring to roll my own rules, so I don't know how you'd
    > get SuSEfirewall to incorporate something similar to them.
    >
    > Regards,
    > David Bolt
    >


    Doesn't a hardware firewall make all of this unnecessary? Just asking,
    since I don't currently use SUSE's firewall, but am wondering if I should.

    Pat

  2. Re: Wow - is SuSE hard to configure!

    Pat wrote:
    > Doesn't a hardware firewall make all of this unnecessary? Just asking,
    > since I don't currently use SUSE's firewall, but am wondering if I should.


    It should, yes. Try with
    http://www.linux-sec.net/Audit/nmap.test.gwif.html to be sure.

    houghi
    --
    At the source of every error which is blamed on the computer you will
    find at least two human errors, including the error of blaming it on
    the computer.

  3. Re: Wow - is SuSE hard to configure!

    On Mon, 4 Jun 2007, Pat wrote:-



    >Doesn't a hardware firewall make all of this unnecessary?


    Yes, it probably would. However, at that time, there was no hardware
    firewall as the box that those rules were snipped from had the IDSN
    card, which is why the rules applied to ippp0, and was acting as a
    firewall/router for the other boxes connected to it.

    And now those rules are useless as I'm no longer using ISDN. I use ADSL
    with a dedicated modem/router which has a built-in firewall[0]. As to
    how good said firewall is, a port scan from outside only shows up the
    ports I have forwarded so it seems to be fairly okay.

    >Just asking,
    >since I don't currently use SUSE's firewall, but am wondering if I should.


    I still don't use SuSEfirewall, but all my systems have their own rules
    and are (fairly well) locked down.


    [0] I do have a ADSL PCI card that I've yet to actually try out. I
    bought it to act as an almost drop-in replacement for the ISDN card, but
    then I bought the router so it's yet to actually be tried out.

    Regards,
    David Bolt

    --
    Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/
    RISCOS 3.11 | SUSE 10.0 32bit | SUSE 10.1 32bit | openSUSE 10.2 32bit
    RISCOS 3.6 | SUSE 10.0 64bit | SUSE 10.1 64bit | openSUSE 10.2 64bit
    TOS 4.02 | SUSE 9.3 32bit | | openSUSE 10.3a4 32bit

+ Reply to Thread