[MLB-WIRELESS] Firewall rule?
Tony Langdon, VK3JED
vk3jed at optushome.com.au
Wed Aug 16 21:17:22 EST 2006
At 05:25 PM 8/16/2006, Mark Aitken wrote:
>Thanks guys (Gals?), You have given me heaps to follow up. I have at
>present set ICMP to Deny while
>I wade through the information at hand.
Well, as indicated, you should NEVER set a blanket DENY on ICMP. At
most, ICMP echo (ping) is as far as you'd want to go. ICMP stands
for Internet Control Message Protocol, and without ICMP, some
important things break, such as PMTU (Path MTU) Discovery.
I like the suggestion of the referenced article, which was to block
ICMP echo to the broadcast addresses of your networks, so you can't
be used as a smurf amplifier. In these days of NAT routers, that's
not such an issue for home users.
>I do however find it strange that the computer that is reporting the
>Incoming ICMP packets on my LAN, that there
>is no NAT rule in my ADSL modem pointing to it so how does the modem
>know to redirect icmp packets to it? Or is
>this a "flood" from my adsl modem (DLINK 302G) to all ranges in its grasp?
You sure it's not anything normal like PMTU discovery in
progress? PPPoE will cause this to happen on some routers (others
will clamp the TCP MSS to a safe value to work around brain dead
routers and clueless admins).
>I dont know if Tiny Personal Firewall is the best of the freeware
>firewalls around but without going into IPSec on the
>Win2K Server I guess it is better than nothing??
Personal firewalls on each host are a good idea for the most part, as
they can slow down some worms if one gets loose on your
network. These days, I'm not sure what's what in personal
firewalls. For my needs, I use Windows Firewall on XP SP2 boxes, and
iptables/Netfilter on Linux (usually configured using Shorewall). I
don't deal much with other versions of Windows (except for 2003
Server at work) these days.
73 de VK3JED
http://vkradio.com
More information about the Melbwireless
mailing list