Re: ICMP Questions for IPtables Rules

To: debian-firewall@lists.debian.org
Subject: Re: ICMP Questions for IPtables Rules
From: Adriano Nagelschmidt Rodrigues <anr@estadao.com.br>
Date: Tue, 22 Oct 2002 11:49:16 -0300
Message-id: <[🔎] 20021022144916.GA1451@chianti>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20021022122914.GA32459@integralogic.com>
References: <[🔎] 20021022122914.GA32459@integralogic.com>

Hi,

Jeff Bonner writes:
>  $IPT -A INPUT  -p icmp -m state --state ESTABLISHED,RELATED     -j ACCEPT

Nowadays I just use

    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

which is very general (ie doesn't specify a protocol), and also includes ICMP
answers to TCP, UDP and ICMP (echo-request) output packets.

>From what I read in "Building Internet Firewalls", 2nd edition (BIF), I used to
allow these ICMP types:

    # Off: echo-request redirect

    for t in echo-reply source-quench time-exceeded \
             parameter-problem destination-unreachable; do
      $IPTABLES -A ch_icmp -p ICMP --icmp-type $t -j ACCEPT
    done

I also remember reading that source-quench could be misused (maybe in "Firewalls and
Interent Security"?), but BIF states that it should be allowed.

Regards,

--
Adriano

Reply to:

References:
- ICMP Questions for IPtables Rules
  - From: Jeff Bonner (debian-fw) <debian@integralogic.com>

Prev by Date: Re: ICMP Questions for IPtables Rules
Next by Date: The limit module
Previous by thread: Re: ICMP Questions for IPtables Rules
Next by thread: The limit module
Index(es):
- Date
- Thread