On Thu, Jun 30, 2005 at 10:12:09AM +0200, Martijn van Oosterhout wrote: > Why change the kernel code when you could simply add a firewall rule > for the same effect? To be compliant to rfc and comments included in icmp.c i.e. net/ipv4/icmp.c:422 /* * Send an ICMP message in response to a situation * * RFC 1122: 3.2.2 MUST send at least the IP header and 8 bytes * of header. * MAY send more (we do). * MUST NOT change this header information. * MUST NOT reply to a multicast/broadcast IP * address. * MUST NOT reply to a multicast/broadcast * MAC address. * MUST reply to only the first fragment. */ Some of above rules seems to be misimplemented. > I guess you could add a sysctl for controlling whether connections to > TCP port 80 are allowed but at some point you have to decide where you > draw the line between hardcoding and doing it in the firewall. ohh.. it has already been invented:/proc/sys/net/khttpd/clientport ;] Sorry for empty message. -- Tomasz Chomiuk .:ch0mik[at]hotpop.com - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
