Re: translating Linux to NetBSD for blocking traffic

To: Thomas Klausner <wiz%netbsd.org@localhost>
Subject: Re: translating Linux to NetBSD for blocking traffic
From: Gert Doering <gert%greenie.muc.de@localhost>
Date: Sun, 1 Oct 2023 22:49:24 +0200

Hi,

On Sun, Oct 01, 2023 at 05:29:49PM +0200, Thomas Klausner wrote:
> Disable ping:
> /etc/sysctl.conf: set net.ipv4.icmp_echo_ignore_all = 1

I flatly refuse to diagnose network problems when people block ICMP ping.

There is no security win, but it massively interferes with keeping
things running.

> No unreachable responses:
> iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
> 
> Disable TCP RST:
> iptables -I OUTPUT -p tcp --tcp-flags ALL RST,ACK -j DROP

And this is also security circus.  Yes, it slows down scanning on
ports not in use - but if you have attackable services, they will be
discovered and attacked.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert%greenie.muc.de@localhost

References:
- translating Linux to NetBSD for blocking traffic
  - From: Thomas Klausner

Prev by Date: Re: translating Linux to NetBSD for blocking traffic
Next by Date: Re: Driver support for Intel I225/I226 Ethernet adapters
Previous by Thread: Re: translating Linux to NetBSD for blocking traffic
Next by Thread: Re: translating Linux to NetBSD for blocking traffic
Indexes:

Home | Main Index | Thread Index | Old Index