Zitat von René Pfeiffer <lynx@xxxxxxxx>:
On Dec 21, 2005 at 1336 -0500, Derick Anderson appeared and said:
After reading the ICMP state machine section of the Netfilter tutorial
[http://iptables-tutorial.frozentux.net/iptables-tutorial.html#ICMPCONNE
CTIONS] it appears that ICMP traffic related to existing TCP and UDP
connections falls under the RELATED,ESTABLISHED rules.
This is true. However you need some inbound ICMP in order to support
things like Path MTU discovery. I often allow the inbound ICMP message types
time-exceeded, destination-unreachable and parameter-problem. This
covers messages that deal with packet fragmentation. You might want to
disallow some of the destination-unreachable messages.
As far as i know path MTU discovery works by setting up the connection
with DF set and raise the packet size until a ICMP error comes back.
This case is covered fine by the RELATED stuff. Time-exceeded and
destination unreachable are also only valid as reply to some IP traffic.
So as the tutorial discribe there are only 4 types which could be really new :
"Echo request, Timestamp request, Information request and finally
Address mask request". For me only the first one makes sense to allow.
All the really critical stuff can be handeled by the ICMP state machine.
Regards
Andreas
