Re: ICMP Questions for IPtables Rules
Hi,
Jeff Bonner writes:
> $IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
Nowadays I just use
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
which is very general (ie doesn't specify a protocol), and also includes ICMP
answers to TCP, UDP and ICMP (echo-request) output packets.
>From what I read in "Building Internet Firewalls", 2nd edition (BIF), I used to
allow these ICMP types:
# Off: echo-request redirect
for t in echo-reply source-quench time-exceeded \
parameter-problem destination-unreachable; do
$IPTABLES -A ch_icmp -p ICMP --icmp-type $t -j ACCEPT
done
I also remember reading that source-quench could be misused (maybe in "Firewalls and
Interent Security"?), but BIF states that it should be allowed.
Regards,
--
Adriano
Reply to: