Stopping suspicious ICMP activity
Does anyone know how to stop inly suspcicous ICMP activity?
Meaning allow only the the normal ping packets but stop weird ones and "specially crafted" ones that have been in security articles recently. Do you knowhow to do this with ipchains? because right now my rule about ICMP is this: ipchains -A input -j DENY -p ICMP -i ppp0 Which prevents me from doing much but also prevents ping scanning. Thanks in advance |
crudely ripping it stright out of my firewall script...
$IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type echo-request -j $STOP $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type destination-unreachable -j $STOP $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type host-unreachable -j $STOP $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type timestamp-request -j $STOP $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type timestamp-reply -j $STOP $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type address-mask-request -j $STOP $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type address-mask-reply -j $STOP $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type redirect -j $STOP $IPT -t filter -A INPUT -p icmp -s 0/0 -d $NET --icmp-type source-quench -j $STOP $IPT -t filter -A OUTPUT -p icmp -s $INNET -d 0/0 -j ACCEPT $IPT -A OUTPUT -p icmp -s $NET -d 0/0 -o $IF -j ACCEPT so there are lots of different icmp types you can specify, so i guess to do it manually you'd block them by default and then specifically allow the ones you want. you'd do well to be using iptables over ipchains if possible btw. |
All times are GMT -5. The time now is 06:46 PM. |