Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
So then are these the good ICMP's that should be allowed and all others be
killed for "good" firewall admin practices?
----- Original Message -----
From: "Frank Gruellich" <frank@...>
To: <gentoo-security@g.o>
Sent: Thursday, January 08, 2004 8:55 AM
Subject: Re: [gentoo-security] firewall suggestions?
> * Troy Farrell <troy@...> 8. Jan 04
> > # iptables -L allow-icmp-traffic
>
> [output fixed]
>
> > Chain allow-icmp-traffic (2 references)
> > target prot opt source destination
> > ACCEPT icmp -- anywhere anywhere icmp
time-exceeded limit: avg 10/sec burst 5
> > ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable limit: avg 10/sec burst 5
> > ACCEPT icmp -- anywhere anywhere icmp
source-quench limit: avg 10/sec burst 5
> > ACCEPT icmp -- anywhere anywhere icmp
echo-request limit: avg 5/sec burst 5
> > ACCEPT icmp -- anywhere anywhere icmp
echo-reply limit: avg 5/sec burst 5
> > LOG icmp -- anywhere anywhere LOG level
warning prefix `Bad ICMP traffic:'
> > REJECT icmp -- anywhere anywhere
>
> The default answer of REJECT ist port unreachable. I always wondered,
> if this is a good way to answer to a question in a protocol with no
> ports. Shouldn't you answer with ICMP protocol unreachable maybe?
>
> Regards, Frank.
> --
> Sigmentation fault
>
> --
> gentoo-security@g.o mailing list
>
>
>
--
gentoo-security@g.o mailing list
|
|
