Re: [nsp] known networks for broadcast ping attacks

[Systems Engineer <snash () lightning net>]

Well to allow ICMP is good for just basic pinging of you or a
traceroute.  I really dont care if other people can traceroute or ping
me so i just deny those lines i mentioned before,  and all ICMP as a
whole.
Until the bug passes and/or gets fixed somehow, I am going to keep those
lines.


root () gannett com wrote:

> On Wed, 30 Jul 1997, Systems Engineer wrote:
>
> > Well ever since this but was introduced to the outside world,  I
> have
> > since modified my present Firewall (ipfwadm v2.3.0) to accomodate.
> >
> > type  prot source               destination          ports
> > deny  icmp 0.0.0.0              0.0.0.255            any
> > deny  icmp 0.0.0.255            0.0.0.0              any
>
> My rule is:
>
> deny icmp   0.0.0.0 0.0.0.0 any
>
> With perhaps specific permits above that for devices that I find have
> a legitimate need for ICMP (be it unreachables, or echo/echo reply).
>
> I was wondering more if there were a good reason, other than for
> dial-up
> users who may need connectivity checks, to allow any ICMP in, or ICMP
> to
> say anything more than a terminal server's address range and certain
> hosts.
>
> Hence my prior discussion on ping-mapping netblocks, and its lack of
> applicability to the number of hosts on my network.
>
> Paul
> ----
> --------------------------------------------------------------------
> Paul D. Robertson
> gatekeeper () gannett com



--
---     ---     ---     ---     ---     ---     ---     ---     ---
Steven Nash                             ph:  (516)248-8400ext25
Systems Engineer / Network Security    fax:  (516)248-8897
Lightning Internet Services LLC      email:  snash () lightning net
http://www.lightning.net
---     ---     ---     ---     ---     ---     ---     ---     ---