Re: ICMP drop.
Daniel Pittman wrote:
> On Fri, 10 Oct 2003, M. Lucas wrote:
>> On Fri, 2003-10-10 at 01:30, Daniel Pittman wrote:
>>> On Thu, 09 Oct 2003, Rudi Starcevic wrote:
>>> Basically, you *must* allow the following ICMP packet types through,
>>> or your network connection is less functional:
>>>
>>> ICMP 3 - destination unreachable
>>> ICMP 11 - TTL exceeded
>>> ICMP 12 - parameter problems
>>>
>> I have only the following rules for ICMP traffic and they work fine
>> with all kind of windows servers behind them.
>>
>> ${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type echo-reply -j ACCEPT
>> ${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type
>> destination-unreachable -j ACCEPT
>
> ... ICMP type 3 ...
>
>> ${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type time-exceeded -j
>> ACCEPT
>
> ... ICMP type 11 ...
>
> You don't run into ICMP type 12 very often, but if you don't accept
> it, some connections will time out (~3 minutes) rather than failing
> when your connection is not allowed.
>
> [...]
>
>> So you don't need to allow type 3,11,12
>
> You rules do allow types 3 and 11. Type 12 is a good idea as well, but
> it's not strictly needed. :)
You're completly right.
I must have been asleep when I wrote this this morning.
Maurice Lucas
Reply to: