On Friday 02 July 2004 5:36 pm, Jason Lunz wrote:
> Antony@xxxxxxxxxxxxxxxxxxxx said:
> > You should certainly allow ICMP through if you want traceroute to work,
> > and you should generally allow ICMP if you want many other things to
> > work. If you want to block certain types of ICMP, that's fine (many
> > people do), but don't block all ICMP.
>
> Speaking of which, what's the consensus on appropriate ICMP filtering?
Personally I'm happy with anything which gets classified as RELATED by
netfilter. I allow ESTABLISHED,RELATED packets in & out of my firewall, and
I specify particular TCP & UDP ports (and a bit of ESP) which I want to allow
through as well - I don't use any ICMP-specific rules.
Regards,
Antony.
--
"The future is already here. It's just not evenly distributed yet."
- William Gibson
Please reply to the list;
please don't CC me.
