Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-14-2004, 03:49 PM
|
#1
|
LQ Newbie
Registered: Aug 2003
Location: Le Quebec simonac !
Distribution: Red Hat / Slackware
Posts: 6
Rep:
|
Is that a good thing to block ICMP protocol on a Web server?
Hello everybody. First, sorry english is not my native language so my message can sound a bit weird at tim. I'm running a Web server with the following additionals services :
- FTP
- SSH
- SMTP
- POP3
- IMAP
- HTTPS
- MySQL
I'm using iptables to block anything, but the ports necessaries to keep the above services functionnals. But when come time to decide what to filter on the ICMP protocol I don't know exactely what is good to block (if anything to block). From what I had read so far it seems that a lot of people seems to think that it's security wise to block the whole ICMP protocol (it's what I'm thinking too) but there are other people saying that doing is making your server not RFC compliant and it's can cause problems. But what can kind of problems exactely? I don't care if someone can't ping my server (in fact it's what I want) but I care if blocking ICMP can cause problem with my essentials services running on my server. From what I understand ICMP is only a diagnostic protocol and it's not supposed to affect the services running on my server, but I just want to be sure. For example is that possible that blocking ICMP can cause problems to a customer to send to me an email because a router try to diagnostic my server and my server reply nothing and the router finally think "this host is down or don't exist". Is something like that possible to happens? Thanks!
|
|
|
06-15-2004, 04:57 AM
|
#2
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
If you drop all ICMP than you break PMTU (Path MTU discovery). That means the other end of the connection can't discover if they can safely increase their MTU, or if they need to decrease it. Basically your network performance and reliability might be degraded in certain circumstances.
You should probably allow at least type 3/code 4, and possibly type 11/code 0 (just from glancing over the table in TCP/IP Illustrated).
By the way, why are you allowing external access to MySQL? Are you sure that's absolutely necessary? Your webserver should definitely not need to allow outside connections to that in order for your site to work. If dynamic content on the page is being generated by database queries, more than likely those are either happening on UNIX sockets, or connections to the loopback adaptor (127.0.0.1), so it should be fine to shut off external access (and that should improve security dramatically, because there are a lot of evil things you can do to an exposed database).
|
|
|
06-15-2004, 06:49 AM
|
#3
|
LQ Newbie
Registered: Aug 2003
Location: Le Quebec simonac !
Distribution: Red Hat / Slackware
Posts: 6
Original Poster
Rep:
|
Hi chort! Thanks a lot for your reply. I will try to let pass only type 3/4 and 11/0 like you have mentionned. For MySQL you is absolutely right, but I have one or two things to verify before blocking it from the exterior. Thanks A LOT for your suggestions it's help me and give me confidence that I'm going to do the right things for my server. Thanks!
|
|
|
All times are GMT -5. The time now is 09:25 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|