Re: How to work with my iptables script

To: debian-firewall@lists.debian.org
Subject: Re: How to work with my iptables script
From: Daniel Pittman <daniel@rimspace.net>
Date: Fri, 03 Sep 2004 21:19:54 +1000
Message-id: <[🔎] 87vfev61lx.fsf@enki.rimspace.net>
References: <412C2C07.4020806@list.idg.dk> <20040825124019.D19930@planetcobalt.net> <20040825200104.GA1049@d7031.de> <[🔎] 413840F0.7050408@starcomitalia.com>

On 3 Sep 2004, Raffaele D'Elia wrote:
> Tom Geissler wrote:
>> * Ansgar -59cobalt- Wiechers <lists@planetcobalt.net> [25-08-04 12:40]:
>>
>>> On 2004-08-25 Jacob Friis Larsen wrote:
>>>
>>>> ...
>>>> # STATE RELATED for router
>>>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>
>>> I would rather add a rule to accept ESTABLISHED,RELATED traffic in the
>>> OUTPUT chain and set the default OUTPUT policy to DROP.
>>>
>>> You should also allow ICMP (at least some types) and REJECT TCP traffic
>>> (with RST) rather than just DROP it. IMHO.
>>
>> Allow ICMP-Types 0, 3, 4, 8, 11 ,12 and REJECT also UDP traffic with
>> 'port-unreachable'
>
> What about icmp type 12? Actually I drop it; but I'm not sure about
> it.

Type 12 is 'Parameter Problems'; while not common in the wild it does
indicate a serious issue and should be allowed through to your system.

         Daniel
-- 
Bad science and bad religion simply swap roles,
the former proclaiming Truth, the latter worshiping Doubt.
        -- Jeffrey Satinover

Reply to:

References:
- Re: How to work with my iptables script
  - From: Raffaele D'Elia <r.delia@starcomitalia.com>

Prev by Date: Re: How to work with my iptables script
Next by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Previous by thread: Re: How to work with my iptables script
Next by thread: Re: How to work with my iptables script
Index(es):
- Date
- Thread