[nsp] known networks for broadcast ping attacks

• Previous message (by thread): [nsp] known networks for broadcast ping attacks
• Next message (by thread): [nsp] known networks for broadcast ping attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 30 Jul 1997, Systems Engineer wrote:

> Well ever since this but was introduced to the outside world,  I have
> since modified my present Firewall (ipfwadm v2.3.0) to accomodate.
> 
> type  prot source               destination          ports
> deny  icmp 0.0.0.0              0.0.0.255            any
> deny  icmp 0.0.0.255            0.0.0.0              any
> 

My rule is:

deny icmp   0.0.0.0 0.0.0.0 any

With perhaps specific permits above that for devices that I find have
a legitimate need for ICMP (be it unreachables, or echo/echo reply).

I was wondering more if there were a good reason, other than for dial-up 
users who may need connectivity checks, to allow any ICMP in, or ICMP to 
say anything more than a terminal server's address range and certain hosts.

Hence my prior discussion on ping-mapping netblocks, and its lack of
applicability to the number of hosts on my network.

Paul
-------------------------------------------------------------------------
Paul D. Robertson
gatekeeper at gannett.com

• Previous message (by thread): [nsp] known networks for broadcast ping attacks
• Next message (by thread): [nsp] known networks for broadcast ping attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]