|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] my first fw rules
|
hi
i dont really understand all of ICMP yet, would it be a bad idea
to just allow all ICMP packets?
e pike / jondz
>
> > #################################################################
> > # ICMP TYPES (incomplete)
> > # --------------------------
> > # (ideas gathered from fw script of vogt@hansenet.com)
> > #
> > # 0 - echo reply
> > # 8 - echo
> > # 3 - Destination Unreachable
> > # 11 - Time Exceeded
>
> I would also recommend permitting ICMP type 4, source quench messages.
>
> > # 30 - Traceroute
>
> ICMP type 30 is currently unused, and can be safely left out of your
> firewall configuration. (It was proposed in RFC1393 for the purposes of
> introducing a new method of tracerouting -- rather than sending multiple
> probe packets with varying TTL values, a single probe packet would have
> been sent containing an IP option. In addition to forwarding packets
> containing this IP option normally, gateways would have also sent an ICMP
> type 30 response to the packet's originator. It's a much more elegant
> solution, and it's a shame no major router vendor ever implemented it.)
>
> -mct
> _________________________________________________________________________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
> General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
>
_________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
|
|