James G. Sack (jim) wrote:
Gregory K. Ruiz-Ade wrote:
On Mar 29, 2006, at 1:12 AM, Ralph Shumaker wrote:
How do I get fc4 to drop ping requests? I've looked in a few places,
but am coming up blank.
If you're using the "built-in" firewall, add this line somewhere in the
middle (likely before any other line with "icmp" in it, or just replace
those lines with this one):
-A RH-Firewall-1-INPUT -p icmp -j DROP
That will drop all icmp packets on the floor, so ping & friends will no
longer work.
It's not an elegant solution, and there are cases where pings are good
things, so use my advice at your own risk. :)
!!! Fell-Swoop ICMP-Disabling considered harmful !!!
(to app protocols and other friendlies)
Quoting from Ziegler's _Linux Firewalls_, 2nd ed, p171:
------------------------------------------------------
Error Status and Control Messages
Four ICMP control and status messages need to pass through a firewall:
Source Quench, Parameter Problem, incoming Destination Unreachable, and
outgoing Destination Unreachable of subtype Fragmentation Needed. Four
other ICMP message types are optional: Echo Request, Echo Reply, other
outgoing Destination Unreachable subtypes, and Time Exceeded. Other
message types can be ignored, to be filtered out by the default policy.
-----------------------------------------------------------------------
.jim
Thanks Jim. But I am not familiar enough to really understand what this
is saying. Is this saying that it is possible to allow only the four
necessary ICMP messages and drop the rest? From where do these four
messages come? And if it is saying that it is possible to drop all
others, how do I do it?
Gregory told me how to drop them all, although he did not specify what
file I would need to modify nor where I can find it.
I would just like to make my fc4 PC (with default firewall) as invisible
as possible to casual scans on the internet. Occassionally I see way
too much activity when I think there should be none. It's not happening
right now, so I cannot provide an example. The ports are blocked, but
ping requests are not.
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
