[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packet filtering help



On Tue, Apr 10, 2001 at 09:59:52AM +1200, Simon Murcott wrote:

> One thing that I forgot to mention in my previous post is that it is vitally
> important that you block all ICMP traffic to/from your broadcast and network
> addresses. This stops you and machines you route from being broadcast
> amplifiers.

But you certainly don't need a firewall to do that.  See
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

It also worth looking at /proc/sys/net/ipv4/icmp_echoreply_rate and
/proc/sys/net/ipv4/icmp_destunreach_rate to rate-limit the destination
unreachable and echo reply packets you'll send out.  Rate limiting those
ICMP types will further protect you from involvement in DoS attacks.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpIxF3P7qIZJ.pgp
Description: PGP signature


Reply to: