Mandi! Niccolò Belli
In chel di` si favelave...
> Also please do not drop icmp traffic, it does solve exactly this
> kind of problems. Unfortunately if the other peer does drop icmp you
> will still be in troubles.
...mmmhhh... i drop selectively ICMP traffic: pratically i rate-limit
echo request/echo reply and accept some other types, i think this is a
common setup:
$IPT -A icmp-restricted -p icmp --fragment -j DROP
$IPT -A icmp-restricted -p icmp --icmp-type echo-request -m limit \
--limit 5/sec -j ACCEPT
$IPT -A icmp-restricted -p icmp --icmp-type echo-reply -m limit \
--limit 5/sec -j ACCEPT
$IPT -A icmp-restricted -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A icmp-restricted -p icmp --icmp-type destination-unreachable \
-j ACCEPT
$IPT -A icmp-restricted -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -A icmp-restricted -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A icmp-restricted -p icmp -j DROP
But... AARRGGHHH!!! ICMP are dropped in INPUT and OUTPUT chains for
openvpn interfeces, i've never minded that.
Ops, many thanks!!!
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
