translating Linux to NetBSD for blocking traffic

To: tech-net%NetBSD.org@localhost
Subject: translating Linux to NetBSD for blocking traffic
From: Thomas Klausner <wiz%NetBSD.org@localhost>
Date: Sun, 1 Oct 2023 17:29:49 +0200

Hi!

In the second video on https://nuzzle.hackerfactor.com/,
https://www.youtube.com/watch?v=qqV0VCmlNe0 the author recommends the
following commands to reduce network attacks on a Linux host:

Disable ping:
/etc/sysctl.conf: set net.ipv4.icmp_echo_ignore_all = 1

No unreachable responses:
iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP

Disable TCP RST:
iptables -I OUTPUT -p tcp --tcp-flags ALL RST,ACK -j DROP


And similar for IPv6:

Disable Ping:
iptables -O OUTPUT -p icmpv6 --icmpv6-type echo-reply -J DROP

No unreachable responses:
ip6tables -I OUTPUT -p ipv6-icmp --icmpv6-type destination-unreachable -j DROP
ip6tables -I OUTPUT -p ipv6-icmp --icmpv6-type address-unreachable -j DROP
ip6tables -I OUTPUT -p ipv6-icmp --icmpv6-type port-unreachable -j DROP


I guess the equivalent tool on NetBSD would be npf(4), but how
would I configure it to do the above?

Do you see any major downsides to these settings?

Thanks,
 Thomas

Follow-Ups:
- Re: translating Linux to NetBSD for blocking traffic
  - From: Thor Lancelot Simon
- Re: translating Linux to NetBSD for blocking traffic
  - From: Gert Doering
- Re: translating Linux to NetBSD for blocking traffic
  - From: Mouse
- Re: translating Linux to NetBSD for blocking traffic
  - From: Michael van Elst

Prev by Date: athn(4) usb patch
Next by Date: Re: translating Linux to NetBSD for blocking traffic
Previous by Thread: athn(4) usb patch
Next by Thread: Re: translating Linux to NetBSD for blocking traffic
Indexes:

Home | Main Index | Thread Index | Old Index