On Wed, 2004-10-13 at 08:41, Ow Mun Heng wrote: > > > > -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT > > > > > > You drop all other ICMP types other than echo (=8). That is bad. ICMP is > > > an important protocol and blocking specific types will break things! If > > > you don't know for sure why you block a specific ICMP type then just > > > don't. You gain no security. > > > > So I guess I should change this line with: > > > > -A INPUT -p icmp -j ACCEPT > > > > Is this OK? > > Actually I would prefer that ICMP Type 8 is dis-allowed only. So the right rules should be: - A INPUT -p icmp -m icmp --icmp-type 8 -j LOGDROP - A INPUT -p icmp -j ACCEPT > > If this are ACK packets, I assume that they are response to a previously > > established communication. How can I let this packets come into my > > Based on the logs, yes they would seem to be ACK packets, but look at > the DST, these are supposed to be NON-routeable addresses 192.168.x.x, > which I think _should_ be rejected. > > Unless you are running NAT and you're doing DNAT. (?) are you? My linux box (192.168.1.2) is connected through an ADSL router (192.168.1.1, internal IP) so I guess it is OK to let them come into my box. How can I manage that? Juan -- Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html
