firewallspotting

Tim Writer tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org
Thu Dec 30 20:11:59 UTC 2004 

daniel <danstemporaryaccount-FFYn/CNdgSA at public.gmane.org> writes:

> On December 29, 2004 06:41 pm, Ilya Palagin wrote:
> > Something is trying to connect to port 6881 on your server.  The server
> > is replying with ICMP Type 3,
> > which stands for "Destination unreachable" message.  Your iptables stack
> > doesn't have a rule which allows those kind of packets to go out.
> >
> > To simulate this situation, just try to connect to the same port from an
> > outside IP address like this:
> > telnet <your IP> 6881
> >
> > or with a more advanced tool like NetCat.
> 
> ahh thank you!  now i understand.  i was running azureus (a bittorrent client) 
> on the mac and had left the nat port forwarding on, even though the box was 
> off.
> 
> so now i have a question regarding policy.  should i be allowing outgoing icmp 
> packets or just keep things the way they are -- being dropped.  is what i'm 
> currently doing considered bad form?  at present i only allow established or 
> related traffic through along with outgoing connections to basic ports (80,22 
> etc) and a few incoming packets for services.

You _must_ allow certain types of ICMP or you'll run into trouble.  In
particular, types 4 (source quench), 11 (time to live exceeded), and 12
(parameter problem) should be allowed in both directions.  I also think you
should allow type 3 (destination unreachable) in both directions and rely on
other rules to explicitly drop or reject inbound connections.  Unless you're
trying to learn about firewalling, I'd suggest using a firewalling package
rather than roll your own.  Shorewall is a good choice.

-- 
tim writer <tim-s/rLXaiAEBtBDgjK7y7TUQ at public.gmane.org>                                  starnix inc.
647.722.5301                                      toronto, ontario, canada
http://www.starnix.com              professional linux services & products
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list