|
||||||||
Hallo Fred, Fred Wright schrieb am 23. August 2004: >>Maybe a simple (optional) flag "strip DF flag on outgoing packets" >Aarrgh. No, no, no. That would break the cases where PMTUd works >fine, and force fragmentation on things that are trying to avoid it. I already had a lengthy answer to PMTU not working, since most m0n0wall users probably don't have an explicit rule to allow ICMP. But then I read this: >The stateful filter automatically passes ICMP errors associated with >established flows, regardless of rules. If I had known this, I wouldn't have asked about ICMP and/or the DF flag, of course my question is totally obsolete now, since everything is already taken care of ;-) The official documentation left me with the impression, that everything gets dropped, which is not explicitly allowed. >The only effect of blocking or passing ICMP in the rules is to >determine whether incoming ICMP *requests* (e.g. pings) are accepted. Gee, the docs sure need some work ;-) >Fragmentation Needed errors aren't the only useful ones I know, TTL expired, Source quench, etc. are all useful too. Speaking of TTL expired: you probably know tools like "firewalker" which attack with faked TTLs? If m0n0wall accepts ICMP without the admin's conscent, how secure is it against such tools as hping, nmap, etc.? What about ACK-storms? Laurent Joncheray - A Simple Active Attack Against TCP http://www.deter.com/unix/papers/tcp_attack.pdf ACK-Storms and TCP-Hijacking - David Anderson und Brian Teague http://www.owlnet.rice.edu/~bteague/papers/comp527.pdf >- e.g. the only non-timeout way of determining that a UDP-based >service isn't available is via ICMP. And there's traceroute, of >course. On my linux-firewall I used to reject with "icmp-admin-prohibited" ;-) Kind regards and thank you for the clarification. Frederick |