> > Personally I suggest allowing the following ICMP types: > > 0 Echo Reply > > 3 Destination Unreachable > > 11 Time Exceeded > > 12 Parameter Problem 0 is optional but useful, 11 can be used for certain kinds of DoS attack against some hosts. > > and dropping the rest (you must allow ICMP type 3). > > Why must type 3 be allowed? It makes it possible to use TCP. Path MTU discovery requires destination unreachable > Wouldn't it make it harder to do portscans and similar things, if one drops all > outgoing "Destination Unreachable" packets? Far more productive is to fake connection accepts on all other ports 8) - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
