On Thursday 15 July 2004 6:03 pm, Real Cucumber wrote:
> I'm trying to determine the best practice for allowing
> the required ICMP messages to ensure stable
> networking, while at the same time not allowing pings
> or other unnecessary parts.
Personally, I simply use the ICMP types which are matched by "-m state --state
RELATED". They seem to do enough for me.
> Also do I need to allow those in all 3 chains or just
> the forward since it does not allow direct connections
> to it anyhow?
I would allow the firewall to send ICMP messages through its OUTPUT chain, and
if it can generate any connections from itself, then you should allow them in
through the INPUT chain as well, however you say you do not allow outgoing
connections (not even DNS??), so this may not be needed.
Regards,
Antony.
--
"The future is already here. It's just not evenly distributed yet."
- William Gibson
Please reply to the list;
please don't CC me.
