Is this a good rule? According to http://www.robertgraham.com/pubs/firewall-seen.html#8.1 It's a good thing to accept this icmp type 3 and 4. But now the firewall is open for dos attacks. So I thought I put a limit to the rule. iptables -A INPUT -p ICMP --icmp-type destination-unreachable \ -m limit --limit 10/minute --limit-burst 5 -j ACCEPT iptables -A INPUT -p ICMP --icmp-type source-quench -j ACCEPT If I had a personal firewall allowing some ports out and then allowing everything in that is established and related for all protocols. Then I don't need the icmp type 3 and 4 for the input, right? Something like this. iptables -A OUTPUT -p TCP -m multiport --dports 20,21,25,53,80,110,443 -j ACCEPT iptables -A OUTPUT -p UDP --dport 53 -j ACCEPT iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p UDP 33434:33523 -j ACCEPT iptables -A INPUT -p ALL -m state --state RELATED,ESTABLISHED -j ACCEPT Btw: Is this a good (and short) firewall allowing most common internet protocols and utilities? Any comments on above? /Klintan
