[MLB-WIRELESS] Firewall rule?

Tony Langdon, VK3JED vk3jed at optushome.com.au
Wed Aug 16 21:17:22 EST 2006


At 05:25 PM 8/16/2006, Mark Aitken wrote:
>Thanks guys (Gals?), You have given me heaps to follow up. I have at
>present set ICMP to Deny while
>I wade through the information at hand.

Well, as indicated, you should NEVER set a blanket DENY on ICMP.  At 
most, ICMP echo (ping) is as far as you'd want to go.  ICMP stands 
for Internet Control Message Protocol, and without ICMP, some 
important things break, such as PMTU (Path MTU) Discovery.

I like the suggestion of the referenced article, which was to block 
ICMP echo to the broadcast addresses of your networks, so you can't 
be used as a smurf amplifier.  In these days of NAT routers, that's 
not such an issue for home users.


>I do however find it strange that the computer that is reporting the
>Incoming ICMP packets on my LAN, that there
>is no NAT rule in my ADSL modem pointing to it so how does the modem
>know to redirect icmp packets to it? Or is
>this a "flood" from my adsl modem (DLINK 302G) to all ranges in its grasp?

You sure it's not anything normal like PMTU discovery in 
progress?   PPPoE will cause this to happen on some routers (others 
will clamp the TCP MSS to a safe value to work around brain dead 
routers and clueless admins).

>I dont know if Tiny Personal Firewall is the best of the freeware
>firewalls around but without going into IPSec on the
>Win2K Server I guess it is better than nothing??

Personal firewalls on each host are a good idea for the most part, as 
they can slow down some worms if one gets loose on your 
network.  These days, I'm not sure what's what in personal 
firewalls.  For my needs, I use Windows Firewall on XP SP2 boxes, and 
iptables/Netfilter on Linux (usually configured using Shorewall).  I 
don't deal much with other versions of Windows (except for 2003 
Server at work) these days.

73 de VK3JED
http://vkradio.com




More information about the Melbwireless mailing list