Re: ICMP drop.
On Fri, 10 Oct 2003, M. Lucas wrote:
> On Fri, 2003-10-10 at 01:30, Daniel Pittman wrote:
>> On Thu, 09 Oct 2003, Rudi Starcevic wrote:
>> > So I had the silly idea to drop icmp packets and be anonymous.
[...]
>> Basically, you *must* allow the following ICMP packet types through,
>> or your network connection is less functional:
>>
>> ICMP 3 - destination unreachable
>> ICMP 11 - TTL exceeded
>> ICMP 12 - parameter problems
>>
> I have only the following rules for ICMP traffic and they work fine
> with all kind of windows servers behind them.
>
> ${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type echo-reply -j ACCEPT
> ${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type destination-unreachable
> -j ACCEPT
... ICMP type 3 ...
> ${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type time-exceeded -j ACCEPT
... ICMP type 11 ...
You don't run into ICMP type 12 very often, but if you don't accept it,
some connections will time out (~3 minutes) rather than failing when
your connection is not allowed.
[...]
> So you don't need to allow type 3,11,12
You rules do allow types 3 and 11. Type 12 is a good idea as well, but
it's not strictly needed. :)
Daniel
--
Vodou isn't like that... It isn't concerned with notions of salvation and
transcendence. What it's about is getting things done.
-- William Gibson, _Count Zero_
Reply to: