>I'd like to hear from the list what ICMP types firewall admins are
>allowing and why - what are the risks for allowing certain types vs. the
>risks of NOT allowing them?
Well, I don't allow something, I block certain types so I can be sure that
nothing is implicitly hindered:
for j in redirect router-advertisement router-solicitation 30; do
ipt -A INPUT -j DROP -p icmp --icmp-type "$j";
done;
30 = UDP-traceroute, but iptables does not have a mnemonic name for it.
Jan Engelhardt
--
