Hey-
i'm using Suse Pro 9.1. I ran a "Shields Up" test yesterday on "all service ports", and all my ports are showing to be stealthed except one. This un-stealthed port is closed, however.
This is relatively good, i guess, but it also shows :

how do i fix these minor issues and go "Stealth Mode" (that sounds cool )


-myk

i think

/usr/sbin/iptables -A INPUT -p icmp -j DROP

aught to shields you up

can you explain what all this means?

Thanks,
-myk

ICMP - Internet Control Message Protocol.

It handles pings (echo request and replies) and several other additional functions like letting the system know that the remote system is unreachable, etc.

This link will help you understand better.
The above rule blocks all icmp traffic that are directed to your system. Not a big deal unless your system is doing a routing function on the net.

Thanks,
i'll forward this info to another user with the same question at PCPitstop.


one more thing, is this a permanent change, or will i need to do this each time i reboot?

-myk

You would need to save the iptables rules so it can be called during boot time...

iptables-save??? in SuSE?

hmmm. igot the same results in my shields up test. Anything else i can try?

-myk

Yes and no. I do not agree with this description. ICMP is an important infrastructure of networking and it is often used for load balancing. Dropping ICMP, especially if you're housing a server is technically wrong. If you do your work right, a ping is only a ping.
Limiting the number of ping for avoiding DoS is ok, avoiding network discoveries in ok but not dropping all icmps...
but it's only my opinion

Try inserting (I) it at the top of the ruleset:
/usr/sbin/iptables -I INPUT -p icmp -j DROP

FWIW TheIrish is correct, in that blocking all ICMP traffic is against RFC specs and can also cause Path MTU discovery failure, which can sometimes lead to connectivity issues. So, it's rather unfortunate that GRC doesn't explain the consequences of completely blocking ICMP on their site.

you can also

iptables -t nat -I PREROUTING -p icmp -j DROP

This will simply discard any icmp traffic at the gate.

I'd really avoid doing packet filtering in the PREROUTING chain. The PREROUTING chain only checks the very first packet in a stream, but none of the subsequent packets are checked. In most circumstances (including this one), it's not an issue, but it can open your firewall up completely in some circumstances and therefore it's normally recommended to avoid doing so if at all possible.

its discouraged to use chains for things they are not meant for, can cause a few problems

and yes, disabling ICMP can lead to problems, as your computer also wont get info on the state of a network if you drop all of these packets, maybe something like

iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A INPUT -p icmp -j DROP

this allows all related traffic, like a error sent back to you by icmp, this should prevent connectivity issues, if you want to use it only from icmp just use

iptables -A INPUT -m state --state RELATED -p icmp -j ACCEPT

instead...

to block pings other then with iptables you can disable it at the kernel level: browse thru the /proc system

let me go see if i can track the folder here down here ....

got it i think

/proc/sys/net/ipv4

I'm guessing you know what to do from here...

maybe I'm wrong, but I'm not sure it would work. Aren't ICMPs stateless?

i was under the impression (from what i hear around sites) that icmp traffic generated from established connections are then related traffic... tho i might be wrong, i have no way to 100% test it out on my system

Yeah but like UDP, there are still fields in the packets that stateful firewalls can use to determine if it is part of a connection. Source and destination addressess, type/codes or ports, and maybe the ID #.