On Tue, Apr 08, 2008 at 03:10:47PM +0200, Martin Toft wrote: > On Tue, Apr 08, 2008 at 09:27:49AM +0100, Ian Chard wrote: > [snip] > > Is there any other way of blocking IP proto 0 packets? > > You could use a default-deny/drop rule set, i.e. only allow the stuff > you need (probably inet and inet6).
Hmm, it looks like IP-in-IP packets are blocked by default. See sysctl(3) about net.inet.ipip.allow. Martin
signature.asc
Description: Digital signature
