On Tue, 23 Sep 2003, Benny Amorsen wrote: > On 2003-09-23 at 10:50, pineapple wrote: > > > So far my node seems to be working ok as well as my web server, mail > > server and ftp server. I didn't consider that these messages could > > impact my network. What outside ICMP traffic would you NOT block > > (besides PMTU as you said)? > > I have not been able to find any consensus on which ICMP packets to > allow. Personally I allow everything that Linux iptables considers > related traffic. ICMP is tricky - as an example, Linux iptables /still/ > rejects with port-unreachable when it should reject with > admin-prohibited.
Eh. Port-Unreachable says there's nothing there. Admin-Prohibited says "something is there that they're blocking us from." ... -j REJECT --reject-with <bla> I've yet to see the need for a firewall anyway. The worms come in on ports that have to be open (25, 80) to machines that have to be on them (mailserver/webserver) or via someone's laptop. The only reason I've even got one up is to NAT our LAN to a single IP rather then assign a ton of external IPs for tech support workstations. I tend not to run unwanted or extra services so OMG they get a TCP Reset packet out of me! --Dan
pgp00000.pgp
Description: PGP signature
_______________________________________________ Devl mailing list [EMAIL PROTECTED] http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/devl
