Best way to filter "Nachi pings"?

[Jason Stone]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > > D'oh? I like ping very much

> > The security and DoS concerns are really kind of obvious.

> Blocking all ping packets to improve security is nothing more than
> security through obscurity.

No, you're missing the point - when all of my clients started massively
pinging the internet, the load on my nat box brings down connectivity for
my whole office.  We're not talking about obscuring the layout of a
network - we're talking about a client that is massively flooding with a
particular kind of traffic, and so we're blocking that traffic to avoid
dos.  That traffic just happens to be ping traffic.  Yes, not being able
to send outbound pings is unfortunate, but if the alternative is to lose
your connectivity entirely, blocking pings seems preferable.

If your network is small and firewall performance is not an issue, you
could just allow outbound pings from the unix machines....


> > > Filtering packets by length on the other hand is a very nice feature
> > > to have.

> > As it happens, ipfw[2] does this anyway.

Yes, ipfw2 (ie, on fbsd-5 boxes) has an "iplen" option that you can put in
the body of your rule.  From the manpage:

     iplen len
             Matches IP packets whose total length, including header and
             data, is len bytes.

However, this isn't going to help most people with 4.x systems, so their
best option is probably still to block all pings.


 -Jason

 --------------------------------------------------------------------------
 Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
 that he was insufficiently fondled when he was an infant.
	-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE/nP2wswXMWWtptckRAudOAKCDTBQimeY4p8IPxw2LDf6PrwTAzQCg7Pxc
XlSVE+ke8z4+h6j3abGejvs=
=kFyX
-----END PGP SIGNATURE-----