Am Di, den 02.08.2005 schrieb Edward Dekkers um 10:43: > I have a rule in my firewall's INPUT chain to drop incoming ICMP. Sorry to say, but that is braindead (no offense). ICMP is an important protocol and does not only know the echo-request and echo-reply types. A proper network relies on proper ICMP transmission. > The net result of this is that when I'm testing, and I ping outwards, > the echoes don't come back. Not only that. Again, you are shooting into your own feet with that blackwhole setup. > The rule looks like this: > > echo " Dropping ICMP from outside" > $IPTABLES -A INPUT -i $EXTIF -p icmp -j DROP > $IPTABLES -A FORWARD -j LOG http://www.faqs.org/docs/iptables/icmptypes.html So *if* you really think you gain anything by blocking incoming ping recho requests, then only handles ICMP types 0 and 8 within your ruleset and let all other types flow. > On the forward chain I have this: > > echo " FWD: Allow all connections OUT and only existing and related > ones IN" > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state > ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > > Can something similar be done for ICMP? i.e. allow echo ICMP packets > back in only if I've pinged somebody? http://www.faqs.org/docs/iptables/icmpconnections.html > Regards, > Ed. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 15:25:24 up 17 days, 19:57, load average: 0.20, 0.26, 0.18
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
