[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ICMP drop.



Daniel Pittman wrote:
> On Fri, 10 Oct 2003, M. Lucas wrote:
>> On Fri, 2003-10-10 at 01:30, Daniel Pittman wrote:
>>> On Thu, 09 Oct 2003, Rudi Starcevic wrote:
>>> Basically, you *must* allow the following ICMP packet types through,
>>> or your network connection is less functional:
>>> 
>>>      ICMP 3  - destination unreachable
>>>      ICMP 11 - TTL exceeded
>>>      ICMP 12 - parameter problems
>>> 
>> I have only the following rules for ICMP traffic and they work fine
>> with all kind of windows servers behind them.
>> 
>> ${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type echo-reply -j ACCEPT
>> ${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type
>> destination-unreachable -j ACCEPT
> 
> ... ICMP type 3 ...
> 
>> ${IPTABLES} -A ICMP-ACCEPT -p icmp --icmp-type time-exceeded -j
>> ACCEPT 
> 
> ... ICMP type 11 ...
> 
> You don't run into ICMP type 12 very often, but if you don't accept
> it, some connections will time out (~3 minutes) rather than failing
> when your connection is not allowed.
> 
> [...]
> 
>> So you don't need to allow type 3,11,12
> 
> You rules do allow types 3 and 11. Type 12 is a good idea as well, but
> it's not strictly needed. :)


You're completly right.

I must have been asleep when I wrote this this morning.

Maurice Lucas



Reply to: