chap 10 정리

Changes to Default Rules




The NSA Recommendation would change this to



Regulate the Ping Command

From Linux, it's possible to flood another system with the -f (flood) switch. It may transmit thousands of packets per second.

One potentially troublesome rule in the default firewall is

-A INPUT -p icmp -j ACCEPT

However, ICMP message go both ways. If you run the ping command on a remote system, the remote system responds with an ICMP packet. So if you want to limit ICMP messages, the following rules allow "acceptable" response to a ping:

-A INPUT -p icmp --icmp-type echo-reploy -j ACCEPT

-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

Block Suspicious IP Addresses

-A INPUT -i eth0 -s -j DROP

-A INPUT -i eth0 -s -j DROP

-A INPUT -i eth0 -s -j DROP

-A INPUT -i eth0 -s -j DROP

-A INPUT -i eth0 -s -j DROP

Regulate Access to SSH