Yes it is commented out. Ive added a limit to both echo-request and echo-replies. Hope this would stop problems exhibit by the Welchia Virus. Regards edmund ##################### #####ICMP CHAINS##### ##################### /sbin/iptables -N ICMP /sbin/iptables -F ICMP /sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1 --limit-burst 10 /sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1 --limit-burst 10 /sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1 --limit-burst 10 /sbin/iptables -A ICMP -p icmp --icmp-type echo-reply -m limit --limit 5/second -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit 5/second -j ACCEPT #/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT /sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT /sbin/iptables -A ICMP -p icmp -j LOG --log-level 5 --log-prefix "ICMP DROP: " /sbin/iptables -A ICMP -p icmp -j DROP -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Michael Kearey Sent: Wednesday, October 15, 2003 3:19 PM Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: ICMP floods Alistair Tonner wrote: <Snip> >>/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT >>/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT >>#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -j ACCEPT ^ >>/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit >>5/second -j ACCEPT > > > The limit rule above will never be used as the packets are allready accepted > by the rule above it. <Snip> It's commented out isn't it? Cheers, Michael
