Gentoo Archives: gentoo-security

From: Chris K Ellsworth <cke@××××××××××××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] firewall suggestions?
Date: Thu, 08 Jan 2004 17:53:26
Message-Id: 00c101c3d60c$85ff2b70$6601a8c0@ckelaptop
In Reply to: Re: [gentoo-security] firewall suggestions? by Frank Gruellich
So then are these the good ICMP's that should be allowed and all others be
killed for "good" firewall admin practices?

----- Original Message ----- 
From: "Frank Gruellich" <frank@××××××××××××.org>
To: <gentoo-security@l.g.o>
Sent: Thursday, January 08, 2004 8:55 AM
Subject: Re: [gentoo-security] firewall suggestions?


> * Troy Farrell <troy@×××××××××××.com> 8. Jan 04 > > # iptables -L allow-icmp-traffic > > [output fixed] > > > Chain allow-icmp-traffic (2 references) > > target prot opt source destination > > ACCEPT icmp -- anywhere anywhere icmp
time-exceeded limit: avg 10/sec burst 5
> > ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable limit: avg 10/sec burst 5
> > ACCEPT icmp -- anywhere anywhere icmp
source-quench limit: avg 10/sec burst 5
> > ACCEPT icmp -- anywhere anywhere icmp
echo-request limit: avg 5/sec burst 5
> > ACCEPT icmp -- anywhere anywhere icmp
echo-reply limit: avg 5/sec burst 5
> > LOG icmp -- anywhere anywhere LOG level
warning prefix `Bad ICMP traffic:'
> > REJECT icmp -- anywhere anywhere > > The default answer of REJECT ist port unreachable. I always wondered, > if this is a good way to answer to a question in a protocol with no > ports. Shouldn't you answer with ICMP protocol unreachable maybe? > > Regards, Frank. > -- > Sigmentation fault > > -- > gentoo-security@g.o mailing list > > >
-- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] firewall suggestions? Troy Farrell <troy@×××××××××××.com>