Nicholas J. Leon wrote:
> So I finally decided to block various icmp's coming into my system. I'm
> aware of what to block and what not, but I do have a question.
>
> Considering a network like:
>
> | machine 1
> <internet> ---[ppp]--- <gateway/ppp box> ---[hub]---| machine 2
> | machine 3
>
> The firewall is sitting on the gateway box; and obviously machines 1|2|3
> have it as their default gateway.
>
> The question: do machines 1|2|3 need to receive the icmp types of
> DEST_UNREACHABLE, SOURCE_QUENCH, etc ?
They need to receive DEST_UNREACHABLE. SOURCE_QUENCH is largely
irrelevant.
> Shouldn't the gateway box be the only one that needs them?
No.
> If I remember correctly, its the gw box that
> bounces those messages to machines 1|2|3, they never receive them directly
> from the remote hosts.
Any ICMP errors will be sent to the source IP address of the packet to
which they relate. This will be the endpoint, not the gateway.
> So, would something like the following be appropriate?:
>
> ipchains -A input -j ACCEPT -d gw 0 3 4 11 12 -p icmp -i ppp0
> ipchains -A input -j ACCEPT -d my.net/24 0 -p icmp -i ppp0
> ipchains -A input -j DENY -p icmp -i ppp0
No. Firstly, ICMP types are specified using -s rather than -d. Second,
all hosts need to receive at least type 3.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
