On Dec 21, 2005 at 1701 -0500, Chris Brenton appeared and said: > On Wed, 2005-12-21 at 20:22 +0100, Cedric Blancher wrote: > > > > In addition to this, Netfilter, unlike some popular proprietary > > products, provide a proper stateful ICMP filtering. Just use it. Valid > > ICMP errors will fall into RELATED state, others will be INVALID. > > Agreed. The payload on ICMP errors (which contains 28 bytes of the > packet which generated the error) is inspected and compared against the > state entry. This mean RELATED is more than capable of letting through > needed ICMP errors and dropping the bogus stuff. So you are cool with > types 3,4,5, & 11. The average perimeter does not need much more than > that. In addition to that you can add some general size limits for ICMP packets. Theoretically ICMP packets can have 64 kB and there are tools out there that use oversized packets for tunneling data. Best, René. -- )\._.,--....,'``. Let GNU/Linux work for you while you take a nap. /, _.. \ _\ (`._ ,. R. Pfeiffer <lynx at luchs.at> + http://web.luchs.at/ `._.-(,_..'--(,_..'`-.;.' - System administration + Consulting + Teaching -
Attachment:
pgpQm4Z64IpK5.pgp
Description: PGP signature
