On Thu, 2005-12-22 at 01:29 +0100, René Pfeiffer wrote: > > This is true. However you need some inbound ICMP in order to support > things like Path MTU discovery. As mentioned, the only modern OS I'm aware of that uses straight ICMP for MTU path is 3-4 year old AIX boxes. The sane way to do this is to set Don't Fragment (DF) in the IP header and watch for returning type 3 code 4's. Also as mentioned, RELATED will pass these in without a problem so no special rules are needed. > In addition to that you can add some general size limits for ICMP > packets. Theoretically ICMP packets can have 64 kB and there are tools > out there that use oversized packets for tunneling data. I've run the following rules for about four years now on numerous firewalls I maintain: iptables -A FORWARD -p icmp -f -j LOG --log-prefix " ICMPFRAG " iptables -A FORWARD -p icmp -f -j REJECT --reject-with icmp-host-unreachable In short, the rules look for fragmented ICMP datagrams. I've seen exactly zero legitimate packets get picked up by this rule. Every time its triggered its been because of an attack. I agree that size limits could also be extremely useful. While the spec says it can be as large as 65,535 bytes, in practice you should never see anything larger than your local MTU. Further, I would even be suspect of any ICMP larger than 100 bytes or so. Most legit ICMP will be below this size. HTH, Chris
