Re: translating Linux to NetBSD for blocking traffic

To: tech-net%netbsd.org@localhost
Subject: Re: translating Linux to NetBSD for blocking traffic
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Sun, 1 Oct 2023 17:44:27 -0000 (UTC)

wiz%NetBSD.org@localhost (Thomas Klausner) writes:

>In the second video on https://nuzzle.hackerfactor.com/,
>https://www.youtube.com/watch?v=qqV0VCmlNe0 the author recommends the
>following commands to reduce network attacks on a Linux host:

>would I configure it to do the above?

something like:

  # block evil pings
  block in final family inet4 proto icmp icmp-type echo
  block in final family inet6 proto ipv6-icmp icmp-type echo

  # block evil pongs
  block out final family inet4 proto icmp icmp-type icmp_code_unreach 
  block out final family inet6 proto ipv6-icmp icmp-type icmp6_code_unreach

The distinction for the 3 icmp6 icmps makes no sense, destination-unreachable
is the message type while address-unreachable and port-unreachable are
specific codes for that type.

>Do you see any major downsides to these settings?

It doesn't prevent anything and makes debugging more difficult. After all,
any open ports still exist. The idea is probably to filter these too and
magically only respond to valid clients, but then you should become invisible
for everything instead of dropping only particular messages.

References:
- translating Linux to NetBSD for blocking traffic
  - From: Thomas Klausner

Prev by Date: translating Linux to NetBSD for blocking traffic
Next by Date: Re: translating Linux to NetBSD for blocking traffic
Previous by Thread: translating Linux to NetBSD for blocking traffic
Next by Thread: Re: translating Linux to NetBSD for blocking traffic
Indexes:

Home | Main Index | Thread Index | Old Index