|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] IP masquerading problem
|
On Sun, Aug 05, 2001 at 03:54:44PM -0400, Greg Lopp wrote:
> First off, its fairly common for sites to not return pings these
> days, so that's not a good tool for determining the status of a
> machine anymore. Even our beloved slashdot drops them.
Beloved?
Anyway, dropping just any random ICMP out of hand is a bad idea.
Most of it is cruft that you can ignore (definitely including pings
and traceroutes) but the reason to do this is not just to be a
pest, but to avoid your site being used as part of a smurf attack
(in which a remote host pings your broadcast address with a false
return IP address in order to DoS another remote host; or some
variation thereof). But, you absolutely do NOT want to go dropping
ICMP unreachable or similar.
In fact, a well-behaved firewall *generates* ICMP unreachable
packets in response to UDP requests it blocks and TCP RST packets in
response to TCP SYN packets it blocks. Sure, this *could* be used as
a kind of DoS, but since it doesn't amplify the bandwidth any, it's
just silly. (And if someone wants to confuse someone else's--koff
koff, windows, koff--TCP stack by randomly giving it RSTs and are
already capable of spoofing their IP address, doing it through
someone else's machine is pretty silly.)
My own (IP Filter) rules to take care of this:
block in log on rtk0 all head 100
block out log on rtk0 all head 150
block in log on rtk1 all head 200
block out log on rtk1 all head 250
block return-rst in log proto tcp from any to any flags S/SA group 100
block return-icmp(net-unr) in proto udp all group 100
[... the rest of the configuration]
> Next, the problem probably lies in the ipchains rules that are
> setup on the firewall/gateway. I have a similar system as my
> firewall/gateway and both of the sites mentioned come through
> just fine (albeit to a linux client).
I agree with your questions, but want to suggest that the problem
could be related to ICMP, but related to its being dropped by the
local firewall. That is, if there's an MTU change between Brian's
site and, say, septa.org, and his firewall doesn't properly pass the
ICMP packet to indicate such (can't seem to find my copy of
Stevens's "UNIX Network Programming", so I don't recall what the
packet's actual *name* is...), then the Windows box, which may be
setting the "don't fragment" TCP flag, won't know to resend the
request without it set.
(I seem to recall Windows being particularly poorly behaved as
regards DF...)
A truly stateful firewall would have no problem with this, of
course, presuming it was told to keep state for that outbound
connection. IP Chains is not, however, a stateful firewall. I'll
make no further comment on that.
--
~ g r @ eclipsed.net
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|