Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 117365 - shb-firewall needs clarification in blocking icmp packages
Summary: shb-firewall needs clarification in blocking icmp packages
Status: RESOLVED WONTFIX
Alias: None
Product: [OLD] Docs-user
Classification: Unclassified
Component: Gentoo Security Guide (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Łukasz Damentko (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-01 10:34 UTC by Jan Hendrik Grahl (RETIRED)
Modified: 2006-01-02 06:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Hendrik Grahl (RETIRED) gentoo-dev 2006-01-01 10:34:08 UTC
shb-firewall should take into account that the following kernel options are activated in shb-kernel: /proc/sys/net/ipv4/icmp_echo_ignore_all
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts.
Therefore the paragraph about blocking all ICMP packages in shb-firewall should take this into account, since it tells the user to utilize the ping command. 

This issue was reported by a user named eques to the German docs-team.
Comment 1 Łukasz Damentko (RETIRED) gentoo-dev 2006-01-01 10:47:37 UTC
The only mention of "ping" command in this chapter is a test of the about proc changes. Could you (or the user reporting the problem) elaborate more on it? Otherwise i'll just have to mark it as INVALID.
Comment 2 Jan Hendrik Grahl (RETIRED) gentoo-dev 2006-01-01 14:53:43 UTC
Correct, in this chapter there is no other mentioning of ping, but in a previous chapter of the security handbook 'shb-kernel.xml' the user is given the option of disabling ping via icmp_echo_ignore_all and is told about various possible outcomes. The user that first voted for an additional notice is referring to this and tries to convey the notion that ping wouldn't have worked even before disabling icmp packages via iptables at this point if a user had followed the previous instructions.
I'll try to contact the user originally reporting the issue to confirm or deny whether I got the point here or not.
Comment 3 eques 2006-01-02 04:06:13 UTC
Jan Hendrik, what you write is correct.
I think that it is a small prob, but i spend a lot of time to find this ignore bit in the /proc filesystem. A newbie follow the description in the book. Later it is not possible for him/her to find out the reason.
(In reply to comment #2)
> Correct, in this chapter there is no other mentioning of ping, but in a
> previous chapter of the security handbook 'shb-kernel.xml' the user is given
> the option of disabling ping via icmp_echo_ignore_all and is told about various
> possible outcomes. The user that first voted for an additional notice is
> referring to this and tries to convey the notion that ping wouldn't have worked
> even before disabling icmp packages via iptables at this point if a user had
> followed the previous instructions.
> I'll try to contact the user originally reporting the issue to confirm or deny
> whether I got the point here or not.
> 
Comment 4 Łukasz Damentko (RETIRED) gentoo-dev 2006-01-02 06:06:41 UTC
It's rather obvious that if you turn off ICMP in your sysctl/proc, ICMP packets won't be flowing all over the place. Please note also that people are discouraged to use this setting in shb-kernel chapter.
On the other hand, in shb-firewall, ping/icmp is used only as an example how to block basing on a protocol, not as a suggested configuration option.
So, you shouldn't set any of them up at all.