which iptables to modify? I have 3.
I'm just learning about security and did a port scan at grc.com. I got a "Stealth" status except for one thing, my machine will reply to pings. They say most firewalls can be configured to ignore pings.
I think this needs to be done my modifying my iptables script. The thing is, I have three of them on my Fedora distribution: /var/lock/subsys/iptables /etc/sysconfig/iptables /etc/rc.d/init.d/iptables None of them are symlinks to another. So, which iptables script should I modify and, for bonus points, does anyone know how to set my machine to ignore pings? Thanks. |
Just run:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts |
Thanks, that certainly did the trick!
For Fedora users (possibly Red Hat users) what is the "proper" place to stick these two lines so they automatically run at startup? |
You can put the commands at the end of rc.local or configure the directives in /etc/sysctl.conf
|
Actually responding to a ping is a requirement or RFC_1122. So not many distros will supply you with a non-compliant firewall. But they will give you the option to not-comply, if you so choose. Don't let the port scanners scare you, replying to a ping does not make your computer any more vulnerable to an attack than not replying.
There is a good discussion on the subject here. |
Very interesting, /bin/bash. Nice to hear the straight dope from someone who knows. I know next to nothing about security and want to open up port 80 to run a web server for the first time, so I'm trying to learn all I can before doing so. Thanks!
|
Although it doesn't help security much it does deter some viruses. Viruses like the MS Blaster virus used pings to find out which machines were responding then flooded them with more traffic. Although Linux will be immune to Microsoft viruses it will still push extra traffic in your direction.
|
Quote:
I had never heard that side of the argument before and I thought it was logical. I have since become less concerned about getting all green blocks on www.grc.com. :) And I think the attacks david_ross is referring to are usually aimed at bigger fish that me e.g. Microsoft.com or better yet SCO.com :D |
All times are GMT -5. The time now is 12:45 PM. |