12-09-2013
Basically you want to deny incoming packets that you didn't initiate? This is usually done in the router, but there are so many tutorials and howtos..
Having just that rule and a default policy of ALLOW on OUTPUT should do it though.
And yes, FORWARD should only matter if you're routing packets. It's likely not even enabled (it's a separate sysctl option)
9 More Discussions You Might Find Interesting
1. Cybersecurity
I need to set up an application to run in a script which will be running as a web server but is a database. I need to allow users to use the web server but the app must be run as root in order for the ports to be accessible. This is not a very secure environment would like to know how this could... (2 Replies)
Discussion started by: rpollard
2 Replies
2. Shell Programming and Scripting
I am trying to transpose tables listed in the format into format. Any help would be greatly appreciated.
Input:
test_data_1
1 2 90%
4 3 91%
5 4 90%
6 5 90%
9 6 90%
test_data_2
3 5 92%
5 4 92%
7 3 93%
9 2 92%
1 1 92%
...
Output:... (7 Replies)
Discussion started by: justthisguy
7 Replies
3. Programming
I've written a python program where I want to allow members of a specific group the ability to kill it, and I'm not sure how to do it. I've been looking at the setuid() and setgid() and similar functions in the os module, but haven't been able to get them to work. I can't seem to change the uid or... (1 Reply)
Discussion started by: vastcharade
1 Replies
4. Red Hat
I have encountered some problems in my school work.
Here is the question:
The server that provides the time synchronization must be configured to allow its clients to verify its authenticity using symmetric cryptography.
Much Appreciated!:) (1 Reply)
Discussion started by: wilsonljx
1 Replies
5. Homework & Coursework Questions
The server that provides the time synchronization must be configured to allow its clients to verify its authenticity using symmetric cryptography.
4. Singapore Polytechnic, Dover, Singapore,Mr Kam, and Computer Engineering
I don't think there is any coding since it is just configuring... (3 Replies)
Discussion started by: wilsonljx
3 Replies
6. Red Hat
Hi Friends,
samba for annonymouse setup but not allowing me to write when i tried to browse from windows 7 box
conf as below
#testparm
Load smb config files from /etc/samba/smb.conf
Processing section ""
Processing section ""
Processing section ""
Loaded services file OK.
Server... (0 Replies)
Discussion started by: heman96
0 Replies
7. UNIX for Dummies Questions & Answers
Hello!
I run an HP Unix system which I host oracle databases on, as well as oracle based apps used by my company. My IA department needs to scan my files to ensure I am following IA procedures and check for vulnerabilities in scripts etc. The scan is coming from corporate, and they asked for... (2 Replies)
Discussion started by: hpuxguy
2 Replies
8. AIX
As I do a ssh <nis_user>@server1 from server2, ssh prompts for certificates (as expected the first time), then it prompts for the users password, as soon as I enter the password, I get a Connection to server1 closed by remote host, and connection to server1 closed. and I disconnect back to the... (3 Replies)
Discussion started by: mrmurdock
3 Replies
9. UNIX for Advanced & Expert Users
Hello Gurus,
I want One user to su to another without allowing root access and password.
I want to run a specific command as below from user am663:
---------------------------------------------------------
sudo -u appsprj4 /home/appsrj4/scripts/start_apache.sh
-------------------
But... (6 Replies)
Discussion started by: pokhraj_d
6 Replies
ICMP(7) Linux Programmer's Manual ICMP(7)
NAME
icmp, IPPROTO_ICMP - Linux IPv4 ICMP kernel module.
DESCRIPTION
This kernel protocol module implements the Internet Control Message Protocol defined in RFC792. It is used to signal error conditions and
for diagnosis. The user doesn't interact directly with this module; instead it communicates with the other protocols in the kernel and
these pass the ICMP errors to the application layers. The kernel ICMP module also answers ICMP requests.
A user protocol may receive ICMP packets for all local sockets by opening a raw socket with the protocol IPPROTO_ICMP. See raw(7) for more
information. The types of ICMP packets passed to the socket can be filtered using the ICMP_FILTER socket option. ICMP packets are always
processed by the kernel too, even when passed to a user socket.
Linux limits the rate of ICMP error packets to each destination. ICMP_REDIRECT and ICMP_DEST_UNREACH are also limited by the destination
route of the incoming packets.
SYSCTLS
ICMP supports a sysctl interface to configure some global IP parameters. The sysctls can be accessed by reading or writing the
/proc/sys/net/ipv4/* files or with the sysctl(2) interface. Most of these sysctls are rate limitations for specific ICMP types. Linux 2.2
uses a token bucket filter to limit ICMPs. The value is the timeout in jiffies until the token bucket filter is cleared after a burst. A
jiffy is a system dependent unit, usually 10ms on x86 and about 1ms on alpha and IA64.
icmp_destunreach_rate
Maximum rate to send ICMP Destination Unreachable packets. This limits the rate at which packets are sent to any individual route
or destination. The limit does not affect sending of ICMP_FRAG_NEEDED packets needed for path MTU discovery.
icmp_echo_ignore_all
If this value is non-zero, Linux will ignore all ICMP_ECHO requests.
icmp_echo_ignore_broadcasts
If this value is non-zero, Linux will ignore all ICMP_ECHO packets sent to broadcast addresses.
icmp_echoreply_rate
Maximum rate for sending ICMP_ECHOREPLY packets in response to ICMP_ECHOREQUEST packets.
icmp_paramprob_rate
Maximum rate for sending ICMP_PARAMETERPROB packets. These packets are sent when a packet arrives with an invalid IP header.
icmp_timeexceed_rate
Maximum rate for sending ICMP_TIME_EXCEEDED packets. These packets are sent to prevent loops when a packet has crossed too many
hops.
NOTES
As many other implementations don't support IPPROTO_ICMP raw sockets, this feature should not be relied on in portable programs.
ICMP_REDIRECT packets are not sent when Linux is not acting as a router. They are also only accepted from the old gateway defined in the
routing table and the redirect routes are expired after some time.
The 64-bit timestamp returned by ICMP_TIMESTAMP is in milliseconds since January 1, 1970.
Linux ICMP internally uses a raw socket to send ICMPs. This raw socket may appear in netstat(8) output with a zero inode.
VERSIONS
Support for the ICMP_ADDRESS request was removed in 2.2.
Support for ICMP_SOURCE_QUENCH was removed in Linux 2.2.
SEE ALSO
ip(7)
RFC792 for a description of the ICMP protocol.
Linux Man Page 1999-04-27 ICMP(7)