> -----Original Message----- > From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Michael K > Sent: Friday, March 28, 2003 10:19 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Accept icmp-type destination-unreachable with limit > > > Is this a good rule? According to > http://www.robertgraham.com/pubs/firewall-seen.html#8.1 It's a good > thing to accept this icmp type 3 and 4. But now the firewall > is open for > dos attacks. So I thought I put a limit to the rule. > iptables -A INPUT -p ICMP --icmp-type destination-unreachable \ > -m limit --limit 10/minute --limit-burst 5 -j ACCEPT > iptables -A INPUT -p ICMP --icmp-type source-quench -j ACCEPT > > If I had a personal firewall allowing some ports out and then allowing > everything in that is established and related for all > protocols. Then I > don't need the icmp type 3 and 4 for the input, right? > Something like this. > > iptables -A OUTPUT -p TCP -m multiport --dports 20,21,25,53,80,110,443 > -j ACCEPT > iptables -A OUTPUT -p UDP --dport 53 -j ACCEPT > iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT > iptables -A OUTPUT -p UDP 33434:33523 -j ACCEPT > iptables -A INPUT -p ALL -m state --state RELATED,ESTABLISHED > -j ACCEPT > > Btw: Is this a good (and short) firewall allowing most common internet > protocols and utilities? Any comments on above? > > /Klintan > > Is there no comments on this? /Klintan
