Re: [SQU] ICMP

From: Bert Driehuis <bert_driehuis@dont-contact.us>
Date: Sun, 4 Mar 2001 16:31:58 +0100 (CET)

On Sun, 4 Mar 2001, Awie wrote:

> So, it means my Squid will be OK if I disable ICMP echo into my Linux. Am I
> right?
>
> The purpose to disable ICMP echo is security reason.

The idea that UNIX becomes more secure if you disable ICMP is
somewhat misguided. Your UNIX should already be protected against things
like reponding to pinging the broadcast address and thereby amplifying a
smurf attack. Disabling regular ICMP ECHO and ECHOREQUEST does not make
your system or network more secure.

ICMP is also used for other housekeeping: you do not want to disable the
ICMP_UNREACH code if you want your Squid to notice that a site is
down quickly.

Look through the ICMP codes before deciding which to block. I would
definitely block ICMP_REDIRECT_* and ICMP_ROUTER*.

I would definitely not block ICMP_ECHO*, ICMP_UNREACH, ICMP_SOURCEQUENCH
and ICMP_TIMXCEED.

Don't forget that you might need the ICMP ECHO one day yourself, if you
need to test your systems reachability from a remote location.

Your milage may vary.

Cheers,

                                        -- Bert

-- 
Bert Driehuis -- driehuis@playbeing.org -- +31-20-3116119
If the only tool you've got is an axe, every problem looks like fun!
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Sun Mar 04 2001 - 08:36:47 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:30 MST