epike on Thu, 26 Dec 2002 15:50:30 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] my first fw rules


hi

i dont really understand all of ICMP yet, would it be a bad idea
to just allow all ICMP packets?

e pike / jondz

> 
> > #################################################################
> > # ICMP TYPES (incomplete)
> > # --------------------------
> > # (ideas gathered from fw script of vogt@hansenet.com)
> > #
> > # 0  - echo reply
> > # 8  - echo
> > # 3  - Destination Unreachable
> > # 11 - Time Exceeded
> 
> I would also recommend permitting ICMP type 4, source quench messages.
> 
> > # 30 - Traceroute
> 
> ICMP type 30 is currently unused, and can be safely left out of your
> firewall configuration.  (It was proposed in RFC1393 for the purposes of
> introducing a new method of tracerouting -- rather than sending multiple
> probe packets with varying TTL values, a single probe packet would have
> been sent containing an IP option.  In addition to forwarding packets
> containing this IP option normally, gateways would have also sent an ICMP
> type 30 response to the packet's originator.  It's a much more elegant
> solution, and it's a shame no major router vendor ever implemented it.)
> 
> -mct
> _________________________________________________________________________
> Philadelphia Linux Users Group        --       http://www.phillylinux.org
> Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug
> 

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug