Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Best way to filter "Nachi pings"?
From: Jason Stone (freebsd-securitydfmm.org)
Date: Mon Oct 27 2003 - 05:12:48 CST
-----BEGIN PGP SIGNED MESSAGE-----
> > > D'oh? I like ping very much
> > The security and DoS concerns are really kind of obvious.
> Blocking all ping packets to improve security is nothing more than
> security through obscurity.
No, you're missing the point - when all of my clients started massively
pinging the internet, the load on my nat box brings down connectivity for
my whole office. We're not talking about obscuring the layout of a
network - we're talking about a client that is massively flooding with a
particular kind of traffic, and so we're blocking that traffic to avoid
dos. That traffic just happens to be ping traffic. Yes, not being able
to send outbound pings is unfortunate, but if the alternative is to lose
your connectivity entirely, blocking pings seems preferable.
If your network is small and firewall performance is not an issue, you
could just allow outbound pings from the unix machines....
> > > Filtering packets by length on the other hand is a very nice feature
> > > to have.
> > As it happens, ipfw does this anyway.
Yes, ipfw2 (ie, on fbsd-5 boxes) has an "iplen" option that you can put in
the body of your rule. From the manpage:
Matches IP packets whose total length, including header and
data, is len bytes.
However, this isn't going to help most people with 4.x systems, so their
best option is probably still to block all pings.
Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
that he was insufficiently fondled when he was an infant.
-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
-----END PGP SIGNATURE-----
freebsd-securityfreebsd.org mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"