Re: blocking icmp, firewalls, ect...

From: Dave Sherohman (esper_at_sherohman.org)
Date: 02/27/05

  • Next message: Carl Fink: "T-Mobile GPRS via Prolific PL2303 cable in Sarge" 
    Date: Sat, 26 Feb 2005 23:09:55 -0600
To: debian-user@lists.debian.org

    On Sat, Feb 26, 2005 at 10:32:41PM -0500, Nizzardini, Chris wrote:
    > What is the best solution IYO to blocking ICMP traffic.

    Best solution is to not do it. Blocking ICMP wholesale will break
    many things. (You can block certain ICMP message types without harm,
    but I can't tell you offhand which can be blocked and which will
    break things because I don't do it.)

    > Comcast will get angry at me for running a web server, but I think
    > Apache is the coolest thing so screw em! How can I block port
    > scans to my debian linux server.

    a) Apache uses TCP, not ICMP, so blocking ICMP wouldn't help you
    hide a web server.

    b) In Minnesota, at least, Comcast doesn't actually care. I know a
    number of people (at least one of whom is on this list *ahem*) and
    none have been contacted by Comcast regarding the http, ssh, ntp,
    smtp, etc. servers they're running. None have ever been portscanned
    by Comcast, either.

    Now, I'm not saying that you shouldn't set up a firewall, of course,
    but just do it as a matter of general security, not because you think
    you have to hide something from your ISP. (Besides, if they have an
    admin with half a brain, they'll be able to see that lots of other
    people are connecting to your port 80 even if you do block the port
    so they can't access it themselves. If anything, that would just
    bring them down harder on you because it would be obvious that you
    were trying to hide it from them, which implies that you expected
    them to not like it but did it anyhow.) 

    -- 
The freedoms that we enjoy presently are the most important victories of the
White Hats over the past several millennia, and it is vitally important that
we don't give them up now, only because we are frightened.
  - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html)
-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Carl Fink: "T-Mobile GPRS via Prolific PL2303 cable in Sarge"