On Dec 21, 2005 at 1336 -0500, Derick Anderson appeared and said: > > After reading the ICMP state machine section of the Netfilter tutorial > [http://iptables-tutorial.frozentux.net/iptables-tutorial.html#ICMPCONNE > CTIONS] it appears that ICMP traffic related to existing TCP and UDP > connections falls under the RELATED,ESTABLISHED rules. This is true. However you need some inbound ICMP in order to support things like Path MTU discovery. I often allow the inbound ICMP message types time-exceeded, destination-unreachable and parameter-problem. This covers messages that deal with packet fragmentation. You might want to disallow some of the destination-unreachable messages. Best, René. -- )\._.,--....,'``. Let GNU/Linux work for you while you take a nap. /, _.. \ _\ (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/ `._.-(,_..'--(,_..'`-.;.' - System administration + Consulting + Teaching -
Attachment:
pgpJopeWw0tNa.pgp
Description: PGP signature
