1 |
So then are these the good ICMP's that should be allowed and all others be |
2 |
killed for "good" firewall admin practices? |
3 |
|
4 |
----- Original Message ----- |
5 |
From: "Frank Gruellich" <frank@××××××××××××.org> |
6 |
To: <gentoo-security@l.g.o> |
7 |
Sent: Thursday, January 08, 2004 8:55 AM |
8 |
Subject: Re: [gentoo-security] firewall suggestions? |
9 |
|
10 |
|
11 |
> * Troy Farrell <troy@×××××××××××.com> 8. Jan 04 |
12 |
> > # iptables -L allow-icmp-traffic |
13 |
> |
14 |
> [output fixed] |
15 |
> |
16 |
> > Chain allow-icmp-traffic (2 references) |
17 |
> > target prot opt source destination |
18 |
> > ACCEPT icmp -- anywhere anywhere icmp |
19 |
time-exceeded limit: avg 10/sec burst 5 |
20 |
> > ACCEPT icmp -- anywhere anywhere icmp |
21 |
destination-unreachable limit: avg 10/sec burst 5 |
22 |
> > ACCEPT icmp -- anywhere anywhere icmp |
23 |
source-quench limit: avg 10/sec burst 5 |
24 |
> > ACCEPT icmp -- anywhere anywhere icmp |
25 |
echo-request limit: avg 5/sec burst 5 |
26 |
> > ACCEPT icmp -- anywhere anywhere icmp |
27 |
echo-reply limit: avg 5/sec burst 5 |
28 |
> > LOG icmp -- anywhere anywhere LOG level |
29 |
warning prefix `Bad ICMP traffic:' |
30 |
> > REJECT icmp -- anywhere anywhere |
31 |
> |
32 |
> The default answer of REJECT ist port unreachable. I always wondered, |
33 |
> if this is a good way to answer to a question in a protocol with no |
34 |
> ports. Shouldn't you answer with ICMP protocol unreachable maybe? |
35 |
> |
36 |
> Regards, Frank. |
37 |
> -- |
38 |
> Sigmentation fault |
39 |
> |
40 |
> -- |
41 |
> gentoo-security@g.o mailing list |
42 |
> |
43 |
> |
44 |
> |
45 |
|
46 |
|
47 |
-- |
48 |
gentoo-security@g.o mailing list |