> Hm. I was only quoting from RFC792: "The ICMP messages typically report
> errors in the processing of datagrams. To avoid the infinite regress of
> messages about messages etc., no ICMP messages are sent about ICMP
messages."
>
> Perhaps this isn't quite as clear or specific as it should be?
It sure is.
echo replies for echo requests
echo dest unreachs for eg. echo requests or timestamp requests, etc.
all are fine and seen normally in networks and on the Internet.
We are not supposed to send error messages for error messages:
eg. dest unreach for ttl-expired.
We are allowed to use error messages for information messages:
eg. ttl-expired for timestamp requests,
net-prohib for echo replies (eg. nonstateful replies that could
suggest inverse mapping of our network)
To conclude the issue:
- use "-p icmp --icmp-type 8/0" for matching echo requests (type 8, code 0)
- using -j REJECT --reject-with net-prohib does not require a fresh kernel
and iptables. Only admin-prohib does.
- Yes, you are allowed in terms of RFCs to send back net-prohib for echo
requests.
Regards,
Maciej
