Firestarter Firewall

Anyone know how to install firestarter? In ubuntu just searched for the package and hit intstall?

Why not use the YaST firewall which is really an interface to iptables (the kernel firewall)

i set all the interfaced to internet mode and i can still ping the machine how do i make it unpin gable?

YaST->System->/etc/sysconfig Editor and search for ping, then select
FW_ALLOW_PING_FW, select goto and change to no.

Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel
up 3 days 18:16, 2 users, load average: 0.19, 0.06, 0.03
GPU GeForce 8600 GTS Silent - CUDA Driver Version: 190.18

Any good reason for this?

Let me guess, you want to “hide” your machine with that.

Just FYI, if one is not getting any answer from an ICMP message this is the best sign that there actually is a machine at that IP.

Then what choice to we have here :)??

I guess it is still better to minimize the internet traffic and let anyone from outside know that someone is here.

What choice do you need?

Trying to “hide” your machine does not improve security at all.

Yeah, especially regarding that

a) the ping will arrive at your machine anyway

b) it will be resent (in some cases several times) if there is no answer (so you will actually increase traffic if you block pings)

c) the default size is negligible compared to one standard TCP packet

d) ICMP was designed to work and you will break a lot of things with blocking ICMP which is also violating the RFCs

Well, to be honest, i set my mother’s PC not to respond to any ICMP packets and all is fine. Nothing is broken, everything works fine. The traffic increase is negligible, if someone won’t get any response and he is not on the same subnet then he has no chance to know if someone is there under this IP. Remember that we are defending against online threats outside our LAN or subnet (no on would be so stupid to attack and leave traces on a LAN or subnet:)).

Give me one example where blocking ICMP response would break something :slight_smile:

Yes, the ping will arrive at my PC anyway but my PC won’t give anyone response.

Path MTU discovery.

Ok but it isn’t something you use daily that will affect your browsing etc. It is still better to disable any response to someone sending a ping command since it is live users sending ICMP packets in most cases that want to check something so it is better to “be safe than sorry”.

Do you really know what you are talking about?

But to make things easier make that “every process relying on ICMP to get actual status of a network” and again blocking ICMP will break things.

if someone won’t get any response and he is not on the same subnet then he has no chance to know if someone is there under this IP.

Wrong, he knows that there is a machine at that IP no matter if he will get an answer or not.

What he won’t know is if there are any machines behind the router if the LAN is NATed, again no matter if there is a response or not, that’s not a feature of “firewalling” but of NAT itself.

I know what i am talking about, the only way you can get someone’s IP is to make PINGing process automatic to brute force IPs (ping from some set of addresses and up and up), there is no other way to discover an IP than to ping it IF you’re not on the same subnet (since internet is a set of subnets then the routers do not forward packets that are not sent to someone).

And where is the relation to “blocking ICMP will prevent that”?

It won’t as I already told you.

The last router “in front of” your subnet decides if a machine is up, not you.

If your machine is up for that router (and he knows even if you block ICMP with your internal IP) he will let the ping through:

  • If your machine answers, the person pinging you knows you are there

  • If your machine does not answer, he knows you are there, because

  • If your machine really weren’t up, the router in front of your subnet would answer (destination or network unreachable)

(In fact there are quite a few other ways to figure out if a machine is at an IP than pinging it, but that’s another story.)

It depends if the machine is behind a router or a simple dumb device that just sends the traffic through. And if i block ICMP then the router will still report “destination unreachable” right?

Anyway, it all ultimately depends on how the network has been set up, some settings work for one person but not for others.

For example i am behind a router that sends all the traffic through (the one supposed to come on my IP) and i am also bhind a NAT naturally but i still block ICMP.

No, (and by “last router” I mean the last router standing at your ISP, if you have a NAT router at home does not make any difference).

No, it won’t and you should be glad about that.

If that router at your ISP would answer “destination unreachable” you would be disconnected from the internet.

I disagree :slight_smile:

My ISP has separate dhcp server and i get IP no matter if i have ICMP answering or not (different packets IIRC)and YES, i do mean my ISP’s router and we all are behind some router and NAT since that’s the only way to ensure that ther are enough addresses for everybody :slight_smile:

No problem, still you are so completely wrong it’s not even funny any longer.

LOL (OK, I have to take that “it’s not funny” back, that was really funny).

Thank you, just made my day…

Do you have a shell account somewhere? eg and do an nmap
back to your ip address :wink:

Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel
up 3 days 21:43, 2 users, load average: 0.09, 0.05, 0.01
GPU GeForce 8600 GTS Silent - CUDA Driver Version: 190.18

OK Akoellh, if it is so easy to see someone’s IP then tell me what is my IP address? And about that “you made my day” how can you have any idea on how is the infrastructure set with my ISP? With my ISP the router server hasa list of allowed IP’s to send the traffic through but the DHCP srver is on a separate server. It is a small ISP so i don’t know how the bigger ones do it (if the same way or not). Anyway, this discussion brings nothing to the topic so i will just shut the hell up :slight_smile:

And again you don’t get the point.

It’s not about “what is my IP address” and never was, it’s about if by using ping one can say if there is a machine at that address or not and the answer is “yes, it is possible, no matter if the target blocks ICMP or not.”

I don’t need to but to give you a little hint.

OK, you block ICMP to “hide yourself” as there are no answers if somebody is pinging you.

It does not work (I already explained why several times).

Still, where’s the relvance to your example of “I block ICMP and still get an IP by DHCP from my ISP”?

Of course you get one, you ASKED for it!

This is like wearing a hat with the letters “I am invisible” on it and wandering through the streets asking people if they detect your presence.

Even if that hat would make invisible in some magic way, they knew you were there because you told them.