Re: ipchains rules

[Pavel Epifanov]

--- Daniel Ginsburg <[EMAIL PROTECTED]> wrote:
> On Wed, Apr 11, 2001 at 11:13:43PM +0400, George Sergeyev wrote:
> > ëÁË ÐÒÁ×ÉÌØÎÏ ÂÕÄÅÔ Ú×ÕÞÁÔØ ÚÁËÌÉÎÁÎÉÅ ÄÌÑ ipchains ver 1.3.9,
> > ÚÁÐÒÅÝÁÀÝÅÅ ÐÒÉÅÍ icmp echo-request ÐÁËÅÔÏ× ÉÚ ÎÅÎÁÄÅÖÎÏÊ ÞÁÓÔÉ ÓÅÔÉ.
> > âÅÚÒÅÚÕÌØÔÁÔÎÏ ÐÅÒÅÐÒÏÂÏ×ÁÌ ÍÎÏÖÅÓÔ×Ï ËÏÍÂÉÎÁÃÉÊ. (1002-Ñ ÎÏÞØ)
> 
> ðÏÚ×ÏÌØÔÅ ÐÏÉÎÔÅÒÅÓÏ×ÁÔØÓÑ, ÚÁÞÅÍ ÖÅ ÷Ù ÖÅÌÁÅÔÅ ÚÁÐÒÅÔÉÔØ echo-requests?
> åÓÌÉ ÷Ù ÓÏÏÂÝÉÔÅ ÍÎÅ ÄÏÓÔÁÔÏÞÎÏ ×ÅÓËÉÊ ÄÏ×ÏÄ × ÐÏÌØÚÕ ÚÁÐÒÅÝÅÎÉÑ ÜÔÉÈ ICMP
> ÓÏÏÂÝÅÎÉÊ, ÔÏ, ÂÅÚÕÓÌÏ×ÎÏ, Ñ ÓËÁÖÕ ÷ÁÍ, ËÁË ÜÔÏ ÓÄÅÌÁÔØ, ÎÏ, ÐÒÉÚÎÁÔØÓÑ, Ñ
> ÕÍÁ ÎÅ ÐÒÉÌÏÖÕ, ËÁËÉÍ ÏÂÒÁÚÏÍ ÚÁÐÒÅÝÅÎÉÅ ÜÔÉÈ ÓÏÏÂÝÅÎÉÊ ÍÏÖÅÔ ÐÏ×ÌÉÑÔØ ÎÁ
> ÆÕÎËÃÉÏÎÉÒÏ×ÁÎÉÅ ÷ÁÛÅÊ ÓÉÓÔÅÍÙ.

It is simple. George probably have read "ICMP scanning" document where
different techniques of ICMP scans are described. echo-request is just one of
them. The same kind of ICMP could be also used for DoS.

There is a sense to DENY such _incoming_ requests on a gateway or on a home
computer directly connected to Internet. This is a recommended practice as I am
aware of. Several websites already have it (I remember www.ibm.org).





=====
Yours,
Pavel V. Epifanov.

---

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/