I am a VERY recent windows defector who just managed to install fedora (after a 2 day nightmare of dnloading & corruption & re-dnloading) last night, and I'm in the process of learning iptables and all of that good, command line, shell scripting stuff but in the meantime, I'm pretty sure my system is responding to pings with ICMP type 3 "administratively prohibited", packets (according to ethereal), which would enable an attacker to verify that I have a host online at this address. Untill I learn to edit the iptables script, is there a quick and easy way to stop this? I can find a gui tool that enables/disables a firewall, and some others for adding vpn tunnels and adding/configuring interfaces, but nothing that does that.
Also, how secure is this latest version of fedora in it's default, personal desktop config?
thx.

I do not know a command that will turn off inbound pings. You should continue your iptables research. Here are two iptables rules I use to accomplish what you want. The IP is my linux hosts IP address:

ipchains -A forward -p icmp -j DENY
ipchains -A input -j DENY -p icmp --icmp-type ping -i eth0 -s 0/0 -d 192.168.120.70

Here's some links I refer to often:

http://www.netfilter.org/documentati...entation-howto

http://iptables-tutorial.frozentux.n...al.html#BASICS

http://www.siliconvalleyccie.com/lin...bles-intro.htm

http://www.tldp.org/LDP/LGNET/103/odonovan.html

http://techrepublic.com.com/5100-6261_11-1031075-2.html

Here are the contents of my iptables file. My windows experience leads me to believe that if a config file says "don't edit --- machine generated" then you should change the configuration with the interface designed to make the changes on your behalf after solicting input in the form of drop-downs, radio-buttons, etc(as I'm sure you know). Since this file says that, shouldn't that mean there is such a tool somewhere, otherwise how are you supposed to operate your firewall, or am I missing something or dealing with the wrong file?
----------------------------------------------------------------------------
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Dropping all ICMP is a *very* bad idea.

But to drop incoming pings, add this line right before the line with '--reject-with icmp-host-prohibited'.

I couldn't tell you what FC uses to edit firewall rules, but if you edit that file and run (I think) 'service iptables reload', it should work.

if u edit firewall rules (/etc/sysconfig/iptables) manually,
service iptables restart
command will load the rules that u edited.

but the best way is typing iptables rules in console and then if it works u can save that rules with
service iptables save
command.

good luck.

easy way to do it, is to stop ping is through sysctl commands. And that is where you can stop ping.

Beautiful.

sysctl -w net.ipv4.icmp_echo_ignore_all=1

seems to have done the job. I'm on a standalone box w cable modem so I don't need pings for intra-LAN stuff, and this is just temporary 'til I can work my way through iptables.
Thx

to keep it from one reboot to another adit /etc/sysctl.conf
less drastic option (now you also blocked kernel response to ping = localhost ping)
you can try:
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

if you will add any kernel change to the sysctl.conf, you will have to run
#sysctl -p
to check if syntax is correct and to enable new setting immediately

OK, now that I've had some time to go over documentation, I think I've found the file to modify and the modification to make that will prevent ping responses. The file is "/sysconfig/iptables" and the contents of it are:
-----------
# Generated by iptables-save v1.3.0 on Tue Jul 19 09:49:39 2005
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [5033:1360444]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -j RH-Firewall-1-INPUT
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jul 19 09:49:39 2005
-----------
I'm thinking that if I modify line 10 and replace ACCEPT with DROP, it will not only silently ignore echo requests, but the change will be persistent over reboots --- or am I misunderstanding something?

If you drop all ICMP, your network will be horribly (well, somewhat) broken. For example, you will be unable to ping anyone else (ICMP ECHOREPLY will be dropped), traceroute will not work (ICMP TIMXCEED), you won't get destination unreachable messages (it'll just be silent) as those are ICMP type 3. Check here to see what all ICMP is used for.